1 | diff --git a/src/openvpn/push.c b/src/openvpn/push.c |
---|
2 | index 000c82f..4bdede9 100644 |
---|
3 | --- a/src/openvpn/push.c |
---|
4 | +++ b/src/openvpn/push.c |
---|
5 | @@ -321,12 +321,23 @@ prepare_push_reply (struct options *o, struct tls_multi *tls_multi) |
---|
6 | /* Push cipher if client supports Negotiable Crypto Parameters */ |
---|
7 | if (tls_peer_info_ncp_ver (peer_info) >= 2 && o->ncp_enabled) |
---|
8 | { |
---|
9 | + /* if we have already created our key, we cannot change our own |
---|
10 | + * cipher, so disable NCP and warn = explain why |
---|
11 | + */ |
---|
12 | + struct tls_session *session = &tls_multi->session[TM_ACTIVE]; |
---|
13 | + if ( session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized ) |
---|
14 | + { |
---|
15 | + msg( M_INFO, "PUSH: client wants to negotiate cipher (NCP), but server has already generated data channel keys, ignoring client request" ); |
---|
16 | + } |
---|
17 | + else |
---|
18 | + { |
---|
19 | /* Push the first cipher from --ncp-ciphers to the client. |
---|
20 | * TODO: actual negotiation, instead of server dictatorship. */ |
---|
21 | char *push_cipher = string_alloc(o->ncp_ciphers, &o->gc); |
---|
22 | o->ciphername = strtok (push_cipher, ":"); |
---|
23 | push_option_fmt(o, M_USAGE, "cipher %s", o->ciphername); |
---|
24 | } |
---|
25 | + } |
---|
26 | return true; |
---|
27 | } |
---|
28 | |
---|