@@ -3193,6 +3193,19 @@ options_set_backwards_compatible_options(struct options *o)
}
}
+ /* Versions < 2.4.0 additionally might be compiled with --enable-small and
+ * not have OCC strings required for "poor man's NCP" */
+ if (need_compatibility_before(o, 20400))
+ {
+ if (!o->ciphername)
+ {
+ /* If ciphername is not set default to BF-CBC when targeting these
+ * old versions that do not have NCP */
+ o->ciphername = "BF-CBC";
+ }
+ o->enable_ncp_fallback = true;
+ }
+
/* Versions < 2.5.0 do need --cipher in the list of accepted ciphers.
* Version 2.4 might probably does not need it but NCP was not so
* good with 2.4 and ncp-disable might be more common on 2.4 peers.
@@ -3205,13 +3218,6 @@ options_set_backwards_compatible_options(struct options *o)
append_cipher_to_ncp_list(o, o->ciphername);
}
- /* Versions < 2.4.0 additionally might be compiled with --enable-small and
- * not have OCC strings required for "poor man's NCP" */
- if (o->ciphername && need_compatibility_before(o, 20400))
- {
- o->enable_ncp_fallback = true;
- }
-
/* Compression is deprecated and we do not want to announce support for it
* by default anymore, additionally DCO breaks with compression.
*
When we try to make a configuration compatible to a version earlier than 2.4.0 we probably need to have a --cipher configured since NCP is not available. In configuration where --cipher is not specified we default to BF-CBC to support these old clients. Note that with OpenSSL 3.0 you will also need to enable the legacy provider otherwise we bail out since BF-CBC is no longer supported. Also move the condition so BF-CBC gets included in the data-ciphers list. Signed-off-by: Arne Schwabe <arne@rfc2549.org> --- src/openvpn/options.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-)