Opened 7 months ago

Last modified 6 months ago

#1313 new Bug / Defect

OCC warnings about cipher and auth mismatch are misleading

Reported by: Gert Döring Owned by:
Priority: major Milestone: release 2.4.10
Component: Generic / unclassified Version: OpenVPN 2.4.9 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: NCP, cipher, OCC, warning
Cc: plaisthos, Steffan Karger

Description

In a setup where NCP is active, a client might warn in its logfile about cipher mismatch (if it has a different cipher configured than the server), but it is of no consequences because NCP will do the right thing anyway.

I think this needs to be fixed - possibly by announcing NCP status in the OCC messages, and "if I have NCP and the other side has NCP, ignore mismatches in cipher and auth".

Or maybe "if I am NCP *capable* and the server has NCP *enabled*" (because 2.4 with --ncp-disable talking to a 2.5 server will still get a proper cipher back).

Change History (2)

comment:1 Changed 7 months ago by Gert Döring

Milestone: release 2.4.10
Version: OpenVPN git master branch (Community Ed)OpenVPN 2.4.9 (Community Ed)

I just learned that 2.5 will no longer print cipher warnings anyway (never, unconditionally). At least, as of today.

So 2.4 remains...

comment:2 Changed 6 months ago by tincantech

I am CC'ing myself but also want to add this link:
https://community.openvpn.net/openvpn/wiki/CipherNegotiation

OpenVPN 2.4 vs 2.5 (and 2.2/2.3) do have some differences but the final outcome is as optimal as possible.

Note: See TracTickets for help on using tickets.