[Openvpn-devel] Default to --cipher BF-CBC if not set and compat-mode < 2.4.0

Message ID 20211006180644.3081219-1-arne@rfc2549.org
State New
Headers show
Series
  • [Openvpn-devel] Default to --cipher BF-CBC if not set and compat-mode < 2.4.0
Related show

Commit Message

Arne Schwabe Oct. 6, 2021, 6:06 p.m.
When we try to make a configuration compatible to a version earlier
than 2.4.0 we probably need to have a --cipher configured since NCP
is not available. In configuration where --cipher is not specified
we default to BF-CBC to support these old clients.

Note that with OpenSSL 3.0 you will also need to enable the legacy
provider otherwise we bail out since BF-CBC is no longer supported.

Also move the condition so BF-CBC gets included in the data-ciphers
list.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
 src/openvpn/options.c | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

Patch

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index e82ff2e7b..035995d78 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -3193,6 +3193,19 @@  options_set_backwards_compatible_options(struct options *o)
         }
     }
 
+    /* Versions < 2.4.0 additionally might be compiled with --enable-small and
+     * not have OCC strings required for "poor man's NCP" */
+    if (need_compatibility_before(o, 20400))
+    {
+        if (!o->ciphername)
+        {
+            /* If ciphername is not set default to BF-CBC when targeting these
+             * old versions that do not have NCP */
+            o->ciphername = "BF-CBC";
+        }
+        o->enable_ncp_fallback = true;
+    }
+    
     /* Versions < 2.5.0 do need --cipher in the list of accepted ciphers.
      * Version 2.4 might probably does not need it but NCP was not so
      * good with 2.4 and ncp-disable might be more common on 2.4 peers.
@@ -3205,13 +3218,6 @@  options_set_backwards_compatible_options(struct options *o)
         append_cipher_to_ncp_list(o, o->ciphername);
     }
 
-    /* Versions < 2.4.0 additionally might be compiled with --enable-small and
-     * not have OCC strings required for "poor man's NCP" */
-    if (o->ciphername && need_compatibility_before(o, 20400))
-    {
-        o->enable_ncp_fallback = true;
-    }
-
     /* Compression is deprecated and we do not want to announce support for it
      * by default anymore, additionally DCO breaks with compression.
      *