Opened 4 years ago

Closed 4 months ago

Last modified 3 months ago

#845 closed Feature Wish (fixed)

set cipher for client in ccd

Reported by: slesru Owned by: Steffan Karger
Priority: major Milestone:
Component: Generic / unclassified Version: OpenVPN 2.4.0 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:



This was discussed in user's mail list, and there was info that such fetaure was already planned , but we really need it, so I decided to create feature wish.

In 2.4 it is possible for server to get cipher info from pre-2.4 client , but some clients (let's say in home routers) can't send info about cipher to server, because they are compiled without support for this feature,
so server will always use default cipher.
This makes migration from one default cipher to another , at least, very hard task, because we need to change default cipher on all such clients and on server at the same time.
This is major issue for us, because we are using OpenVPN for long time and aour default cipher is blowfish :-(

I'd like to have an ability to set default cipher on per-client basis in ccd.

Thank you!

Attachments (1)

0001-Allow-changing-cipher-from-a-ccd-file.patch (4.2 KB) - added by Steffan Karger 4 years ago.

Download all attachments as: .zip

Change History (18)

comment:1 Changed 4 years ago by Steffan Karger

Owner: set to Steffan Karger
Status: newaccepted

Thanks for creating the trac ticket, that helps keeping track of the issue.

I've created a patch that should allow you to set 'cipher' directives in ccd files, and attached it to this ticket. It would be great if you could test the patch to verify whether this works for you.

Changed 4 years ago by Steffan Karger

comment:2 Changed 4 years ago by slesru


Sorry for extremely late reply, I somehow missed this patch.
Just applied this on 2.4.1.
And trying to connect using 2.3.11, unfortunately, this is full version, i.e. it can tell to server which cipher it wants.

I have in server config:
cipher AES-256-CBC
ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC

And client has default BF-CBC.

I wrote in ccd:
cipher BF-CBC

But I see during connect:
Thu Mar 23 10:58:07 2017 WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-256-CBC'

I.e. looks like server doesn't use cipher BF-CBC for me :-(

Although server does not complain about cipher directive in ccd, looks like server does not use
cipher from ccd.

Thank you!

Or, may be, I'm wrong and it works only if client can inform server about cipher?

Last edited 4 years ago by slesru (previous) (diff)

comment:3 Changed 4 years ago by slesru

Sorry for previous message, it was too early - looks like disabling ncp helps to test and looks like it works, I need to test it on real hardware router.
Thank you!

comment:4 Changed 4 years ago by slesru

We just tested patched 2.4.1 with openvpn in soho router, we use, and
it works just fine with cipher from ccd, i.e. not default per server.


btw, looks like building 2.4.1 with --enable-small doesn't turn off occ and/or ncp - this is why I wrote firts comment here without any useful info.
So I built 2.3 for tests on my desktop...

Thank you very much! Going to patch my production servers in next several days.

Hope to have this in 2.4.2.. :-)

comment:5 Changed 4 years ago by slesru


We are in production now, tested on two soho routers, everything looks just fine.

Thank you!

comment:6 Changed 4 years ago by Steffan Karger

Thanks for reporting back! The patch is awaiting review on the development mailing list:

comment:7 Changed 4 years ago by tincantech

CC: tincantech

comment:8 Changed 3 years ago by slesru


Very pity it is not included in release 2.4.2.
Patch can be applied to 2.4.2 without problems, though:
+ echo 'Patch #0 (0001-Allow-changing-cipher-from-a-ccd-file.patch):'
Patch #0 (0001-Allow-changing-cipher-from-a-ccd-file.patch):
+ /usr/bin/patch -p1 --fuzz=0
+ /bin/cat /root/rpmbuild/SOURCES/0001-Allow-changing-cipher-from-a-ccd-file.patch
patching file src/openvpn/multi.c
patching file src/openvpn/options.c
Hunk #1 succeeded at 7495 (offset -41 lines).
patching file src/openvpn/options.h
Hunk #1 succeeded at 629 (offset 1 line).
patching file src/openvpn/ssl.c
Hunk #1 succeeded at 2396 (offset -5 lines).

Thank you!

comment:9 Changed 3 years ago by slesru

And is not in 2.4.3...

comment:10 Changed 3 years ago by slesru

and in 2.4.4 :-(
Could you, please, tell me will it be included in main tree?
I'm tired from patching ;)
Thank you!

comment:11 Changed 6 months ago by slesru


2.4.9 breaks patch compatibilty, because tls_session_update_crypto_params now has additional parameter:

multi.c: In function ‘multi_connection_established’:
multi.c:2091:17: error: too few arguments to function ‘tls_session_update_crypto_params’

&& !tls_session_update_crypto_params(session, &mi->context.options,

from original multi.c:

if (!tls_session_update_crypto_params(session, &c->options,

&c->c2.frame, frame_fragment))

I have no enough knowledge to fix this.

Could you, please, update patch?

comment:12 Changed 6 months ago by stipa


I tried to quick-fix parameter part in patch but got other errors. For that specific problem you could try something like:

struct context *c = &mi->context;
struct frame *frame_fragment = NULL;
if (c->options.ce.fragment)
    frame_fragment = &c->c2.frame_fragment;
struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
if (!tls_session_update_crypto_params(session, &c->options,
                                      &c->c2.frame, frame_fragment))

comment:13 Changed 6 months ago by slesru


Yes, I understand, this is how code in another place looks now, but problem can't be solved by just copying it, I already tried..

Thank you!

comment:14 Changed 4 months ago by plaisthos

I am trying to get rid of --cipher eventually and rely on ncp-ciphers/NCP in the future. Adding this would be against this effort. For the people that are interested in this patch, what reasons do you have to use it?

comment:15 Changed 4 months ago by slesru

Reason is still the same:

There are openvpn 2.3 clients in 3g routers which are built without ability to inform server about cipher, so server uses default cipher for them,

in case you need to change default cipher on server you can't do this , because clients will not work, it is also impossible to change default cipher on all clients at once,

so this is where ability to set default cipher on ccd helps. All these are explained in ticket.

Thanks to patch author we were able to change default cipher without downtime.

btw, we still run such routers but can't do the same procedure because patch is not compatible with 2.4.9 if for some reason current cipher will became nonsecure as blowfish.

comment:16 Changed 4 months ago by plaisthos

Resolution: fixed
Status: acceptedclosed

closed in master by commit 6168f53d

comment:17 Changed 3 months ago by slesru

Unfortunately, current git master dies when 2.3.18 client compiled with enable-small connects to it:

Jul 13 09:33:22 ovpn1 systemd[1]: openvpn@…: Main process exited, code=killed, status=11/SEGV

Thank you!

Note: See TracTickets for help on using tickets.