| 1 | diff --git a/src/openvpn/push.c b/src/openvpn/push.c |
|---|
| 2 | index 000c82f..4bdede9 100644 |
|---|
| 3 | --- a/src/openvpn/push.c |
|---|
| 4 | +++ b/src/openvpn/push.c |
|---|
| 5 | @@ -321,12 +321,23 @@ prepare_push_reply (struct options *o, struct tls_multi *tls_multi) |
|---|
| 6 | /* Push cipher if client supports Negotiable Crypto Parameters */ |
|---|
| 7 | if (tls_peer_info_ncp_ver (peer_info) >= 2 && o->ncp_enabled) |
|---|
| 8 | { |
|---|
| 9 | + /* if we have already created our key, we cannot change our own |
|---|
| 10 | + * cipher, so disable NCP and warn = explain why |
|---|
| 11 | + */ |
|---|
| 12 | + struct tls_session *session = &tls_multi->session[TM_ACTIVE]; |
|---|
| 13 | + if ( session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized ) |
|---|
| 14 | + { |
|---|
| 15 | + msg( M_INFO, "PUSH: client wants to negotiate cipher (NCP), but server has already generated data channel keys, ignoring client request" ); |
|---|
| 16 | + } |
|---|
| 17 | + else |
|---|
| 18 | + { |
|---|
| 19 | /* Push the first cipher from --ncp-ciphers to the client. |
|---|
| 20 | * TODO: actual negotiation, instead of server dictatorship. */ |
|---|
| 21 | char *push_cipher = string_alloc(o->ncp_ciphers, &o->gc); |
|---|
| 22 | o->ciphername = strtok (push_cipher, ":"); |
|---|
| 23 | push_option_fmt(o, M_USAGE, "cipher %s", o->ciphername); |
|---|
| 24 | } |
|---|
| 25 | + } |
|---|
| 26 | return true; |
|---|
| 27 | } |
|---|
| 28 | |
|---|
