From patchwork Wed Oct 6 07:06:44 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1979 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id 2IQXNvvlXWHbSAAAIUCqbw (envelope-from ) for ; Wed, 06 Oct 2021 14:07:55 -0400 Received: from proxy8.mail.iad3b.rsapps.net ([172.31.255.6]) by director8.mail.ord1d.rsapps.net with LMTP id yInmNfvlXWHpawAAfY0hYg (envelope-from ) for ; Wed, 06 Oct 2021 14:07:55 -0400 Received: from smtp23.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy8.mail.iad3b.rsapps.net with LMTPS id uHzoLfvlXWEqYQAAoCsc3g (envelope-from ) for ; Wed, 06 Oct 2021 14:07:55 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp23.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 536a4b30-26d0-11ec-9d3b-525400aa5716-1-1 Received: from [216.105.38.7] ([216.105.38.7:58498] helo=lists.sourceforge.net) by smtp23.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id D7/34-22781-AF5ED516; Wed, 06 Oct 2021 14:07:54 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.92.3) (envelope-from ) id 1mYBJo-00047e-1V; Wed, 06 Oct 2021 18:07:04 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) (envelope-from ) id 1mYBJm-00047W-52 for openvpn-devel@lists.sourceforge.net; Wed, 06 Oct 2021 18:07:02 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=uHd7j52vaag0MKCmfK33i3tDcNHySSwN+h8pq01rc0Q=; b=IppMAhbRXnTD1iTpYKv0LkLgmN ywQ1DlTyu+tm7eFFmoLzc0+Vwz1KUszUkozr88ilad1/HSMC2E9T36UcbD5WYgBzZ6x/Zb6fHVY3R MJwXT1Zsi51v3Ii0EQ6zz00BumtYHJJ19oZxgKh3xCmU27vo63YYCcXo95kRdueWhvbk=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=uHd7j52vaag0MKCmfK33i3tDcNHySSwN+h8pq01rc0Q=; b=O /ptMYjSTse5n3cn6nWgug9KWHlubwNFN0Qa8JN9dJ1Nbybfz4FFkQ5D6btEcmFs1AKSNYjk6j/2Su gbLw7J4dByDfqtmrl6sWhqlpApnlEeHFESPSpXm4Het5oo9AWWCbYzTCeBeqCGnuupFXVwBaei3Xb ggZtQ730kY8h9ltE=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mYBJh-0007Rt-B6 for openvpn-devel@lists.sourceforge.net; Wed, 06 Oct 2021 18:07:02 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mYBJU-000Jl5-5z for openvpn-devel@lists.sourceforge.net; Wed, 06 Oct 2021 20:06:44 +0200 Received: (nullmailer pid 3081265 invoked by uid 10006); Wed, 06 Oct 2021 18:06:44 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Wed, 6 Oct 2021 20:06:44 +0200 Message-Id: <20211006180644.3081219-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: When we try to make a configuration compatible to a version earlier than 2.4.0 we probably need to have a --cipher configured since NCP is not available. In configuration where --cipher is not specifi [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mYBJh-0007Rt-B6 Subject: [Openvpn-devel] [PATCH] Default to --cipher BF-CBC if not set and compat-mode < 2.4.0 X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox When we try to make a configuration compatible to a version earlier than 2.4.0 we probably need to have a --cipher configured since NCP is not available. In configuration where --cipher is not specified we default to BF-CBC to support these old clients. Note that with OpenSSL 3.0 you will also need to enable the legacy provider otherwise we bail out since BF-CBC is no longer supported. Also move the condition so BF-CBC gets included in the data-ciphers list. Signed-off-by: Arne Schwabe --- src/openvpn/options.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index e82ff2e7b..035995d78 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -3193,6 +3193,19 @@ options_set_backwards_compatible_options(struct options *o) } } + /* Versions < 2.4.0 additionally might be compiled with --enable-small and + * not have OCC strings required for "poor man's NCP" */ + if (need_compatibility_before(o, 20400)) + { + if (!o->ciphername) + { + /* If ciphername is not set default to BF-CBC when targeting these + * old versions that do not have NCP */ + o->ciphername = "BF-CBC"; + } + o->enable_ncp_fallback = true; + } + /* Versions < 2.5.0 do need --cipher in the list of accepted ciphers. * Version 2.4 might probably does not need it but NCP was not so * good with 2.4 and ncp-disable might be more common on 2.4 peers. @@ -3205,13 +3218,6 @@ options_set_backwards_compatible_options(struct options *o) append_cipher_to_ncp_list(o, o->ciphername); } - /* Versions < 2.4.0 additionally might be compiled with --enable-small and - * not have OCC strings required for "poor man's NCP" */ - if (o->ciphername && need_compatibility_before(o, 20400)) - { - o->enable_ncp_fallback = true; - } - /* Compression is deprecated and we do not want to announce support for it * by default anymore, additionally DCO breaks with compression. *