From patchwork Fri Nov 5 15:07:42 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [Openvpn-devel,v2] Default to --cipher BF-CBC if not set and compat-mode < 2.4.0 X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2057 Message-Id: <20211105150742.2909443-1-arne@rfc2549.org> To: openvpn-devel@lists.sourceforge.net Date: Fri, 5 Nov 2021 16:07:42 +0100 From: Arne Schwabe List-Id: When we try to make a configuration compatible to a version earlier than 2.4.0 we probably need to have a --cipher configured since NCP is not available. In configuration where --cipher is not specified we default to BF-CBC to support these old clients. Note that with OpenSSL 3.0 you will also need to enable the legacy provider otherwise we bail out since BF-CBC is no longer supported. Also move the condition so BF-CBC gets included in the data-ciphers list. Patch v2: move the comment to a better place. Signed-off-by: Arne Schwabe Reviewed-by: Antonio Quartulli Acked-by: Antonio Quartulli --- src/openvpn/options.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 4dc70e4f3..6751084af 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -3186,6 +3186,19 @@ options_set_backwards_compatible_options(struct options *o) } } + if (need_compatibility_before(o, 20400)) + { + if (!o->ciphername) + { + /* If ciphername is not set default to BF-CBC when targeting these + * old versions that do not have NCP */ + o->ciphername = "BF-CBC"; + } + /* Versions < 2.4.0 additionally might be compiled with --enable-small and + * not have OCC strings required for "poor man's NCP" */ + o->enable_ncp_fallback = true; + } + /* Versions < 2.5.0 do need --cipher in the list of accepted ciphers. * Version 2.4 might probably does not need it but NCP was not so * good with 2.4 and ncp-disable might be more common on 2.4 peers. @@ -3198,13 +3211,6 @@ options_set_backwards_compatible_options(struct options *o) append_cipher_to_ncp_list(o, o->ciphername); } - /* Versions < 2.4.0 additionally might be compiled with --enable-small and - * not have OCC strings required for "poor man's NCP" */ - if (o->ciphername && need_compatibility_before(o, 20400)) - { - o->enable_ncp_fallback = true; - } - #ifdef USE_COMP /* Compression is deprecated and we do not want to announce support for it * by default anymore, additionally DCO breaks with compression.