Menu
▾
▴
Re: [Openvpn-devel] [PATCH] Fix client's poor man NCP fallback
|
From: Rafael G. <ga...@gm...> - 2020-08-30 00:43:09
|
Hi Gert, Actually, I was testing Samuli's 2.5-beta2 installer from the link below: Note sure if it's with the patch for data-ciphers but I guess so. I'll pull the 2.5-beta2 code and build it in order to check if it's working properly. https://build.openvpn.net/downloads/releases/OpenVPN-2.5-beta2-I601-amd64.msi Moreover, please see the comments inline... Please let me know if you need anything else. BR Gava On Sat, Aug 29, 2020 at 4:47 PM Gert Doering <ge...@gr...> wrote: > Hi, > > On Sat, Aug 29, 2020 at 04:19:07PM -0300, Rafael Gava wrote: > > This thread has a could days but I'm testing the version 2.5-beta2 and > I'm > > getting the following error: > > > > 2020-08-29 16:02:53 us=643016 OPTIONS ERROR: failed to negotiate cipher > > with server. Add the server's cipher ('BF-CBC') to --data-ciphers > > (currently 'BF-CBC') if you want to connect to this server. > > Which combination of client/server is this exactly? 2.5-beta2 on > the client, what is on the server? Can we have some more log file, > including the "PUSH_REPLY", please? > > The server version is 2.3.18. The client: 2020-08-29 16:02:50 us=235805 OpenVPN 2.5_beta2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Aug 27 2020 2020-08-29 16:02:50 us=235805 Windows version 10.0 (Windows 10 or greater) 64bit 2020-08-29 16:02:50 us=235805 library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.10 And, if this is on windows, please make sure it's really "beta2" - the > installer will not replace openvpn.exe when going from beta1 to beta2, > so you might run an 2.5_beta1 openvpn.exe. > > [..] > > I know that you guys are trying to get rid of the BF-CBC but my question > > is, should it still work if we set these parameters in the config file or > > am I missing or doing something wrong? :-) > > It definitely should work. > > It does work for my test bed, but I am not testing "2.5 client against > 'some old server'" yet - only the other way round, 2.2/2.3/2.4/2.5 client > against 2.5 server. It needs "data-ciphers BF-CBC" (or "cipher BF-CBC") > to be added to the config for non-NCP combinations, but afterwards > it works. > > I falled back to the 2.5-beta1 using the same configuration and it worked. Attached are both logs and the client config. > gert > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never > doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh > Mistress > > Gert Doering - Munich, Germany > ge...@gr... > |
