id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc 906,Cipher negotiation succeeds when it should fail,signo-,Steffan Karger,"When a client and a server specify have ncp enabled and no common ciphers are specified the initial cipher negotiation fails but after an automatic restart it succeeds. I've included my client/server logs as attachments to hopefully clarify the issue.. Reproduction steps: 1. Start OpenVPN v2.4 server with a specified --cipher and a few ciphers in --ncp-ciphers (Example config below) 2. Start OpenVPN 2.4 client with --cipher and --ncp-ciphers specified. make sure none of the client ciphers are included in the server's --cipher or --ncp-ciphers list (Example config below) 3. Client logs should print out the following: Error: pushed cipher not allowed - AES-128-GCM not in AES-192-GCM or AES-256-CBC 4. After waiting about a minute OpenVPN client will automatically restart and successfully initiate a connection to the server. '''Server Version:''' OpenVPN 2.4.0 mipsel-unknown-linux-uclibc [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jun 19 2017 '''Server Command Line Params:''' openvpn --port 1194 --server 10.8.0.0 255.255.255.0 --topology p2p --proto udp --dev-type tun --ncp-ciphers AES-128-GCM:AES-192-CBC:AES-192-GCM:AES-256-CBC:AES-256-GCM --cipher AES-256-CBC --auth sha1 --verify-client-cert require --ca ca.crt --dh dh2048.pem --cert server.crt --key server.key --verb 0 --keepalive 30 150 --reneg-bytes 0 --reneg-sec 3600 --dev ovpn '''Client Version:''' OpenVPN 2.4.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 11 2017 '''Client Command Line Params:''' sudo openvpn --remote 192.168.4.1 --dev tun --client --ca ca.crt --cert client.crt --key client.key --cipher AES-192-GCM --ncp-ciphers AES-256-CBC --verb 4 --proto udp --log client.log ",Bug / Defect,closed,major,release 2.4.4,Generic / unclassified,OpenVPN 2.4.0 (Community Ed),"Not set (select this one, unless your'e a OpenVPN developer)",fixed,ncp,David Sommerseth