[Openvpn-devel,7/9] Avoid sending --cipher to clients not supporting NCP

Message ID 20200717134739.21168-7-arne@rfc2549.org
State Accepted
Delegated to: Gert Doering
Headers show
Series [Openvpn-devel,1/9] Indicate that a client is in pull mode in IV_PROTO | expand

Commit Message

Arne Schwabe July 17, 2020, 3:47 a.m. UTC
The NCP rework introduced a regression of sending a --cipher
command as part of the push message when the client does not
support NCP. This is is more a cosmetic issue since the client
will log that as warning in the log and ignore it.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
 src/openvpn/push.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)


Gert Doering July 21, 2020, 9:41 p.m. UTC | #1
Acked-by: Gert Doering <gert@greenie.muc.de>

Verify by staring at the testbed.  2.2/2.3 clients or 2.4 or master
with --ncp-disable won't get cipher pushed, the rest will.


Your patch has been applied to the master branch.

commit 4b59e2644a978074f0eed492d6541ba7b30b01a7
Author: Arne Schwabe
Date:   Fri Jul 17 15:47:37 2020 +0200

     Avoid sending --cipher to clients not supporting NCP

     Signed-off-by: Arne Schwabe <arne@rfc2549.org>
     Acked-by: Gert Doering <gert@greenie.muc.de>
     Message-Id: <20200717134739.21168-7-arne@rfc2549.org>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20437.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>

kind regards,

Gert Doering


diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index 2183b74a..1c4f2033 100644
--- a/src/openvpn/push.c
+++ b/src/openvpn/push.c
@@ -472,9 +472,15 @@  prepare_push_reply(struct context *c, struct gc_arena *gc,
      * Push the selected cipher, at this point the cipher has been
-     * already negotiated and been fixed
+     * already negotiated and been fixed.
+     *
+     * We avoid pushing the cipher to clients not supporting NCP
+     * to avoid error messages in their logs
-    push_option_fmt(gc, push_list, M_USAGE, "cipher %s", o->ciphername);
+    if (tls_peer_supports_ncp(c->c2.tls_multi->peer_info))
+    {
+        push_option_fmt(gc, push_list, M_USAGE, "cipher %s", o->ciphername);
+    }
     return true;