compat-mode: add --data-cipher-fallback auomatically if requested

For compatibility with OpenVPN older than 2.4.0, the '--data-cipher-fallback' argument is automatically added with the same value as specified by '--cipher'. This happens only when the user specifies compat-mode with a version older than 2.4.0. Signed-off-by: Arne Schwabe <arne@rfc2549.org> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <20210904095629.6273-6-a@unstable.cc> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22798.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
cron2 · Sep 20, 2021 · cdef503 · cdef503
1 parent 65f6da8
commit cdef503
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst
@@ -68,6 +68,8 @@ which mode OpenVPN is configured as.
     to the configuration if no other compression options are present.
   - 2.4.x or lower: The cipher in ``--cipher`` is appended to
     ``--data-ciphers``
+  - 2.3.x or lower: ``--data-cipher-fallback`` is automatically added with
+    the same cipher as ``--cipher``
 
 --config file
   Load additional config options from ``file`` where each line corresponds

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
@@ -3176,6 +3176,13 @@ options_set_backwards_compatible_options(struct options *o)
         append_cipher_to_ncp_list(o, o->ciphername);
     }
 
+    /* Versions < 2.4.0 additionally might be compiled with --enable-small and
+     * not have OCC strings required for "poor man's NCP" */
+    if (o->ciphername && need_compatibility_before(o, 20400))
+    {
+        o->enable_ncp_fallback = true;
+    }
+
     /* Compression is deprecated and we do not want to announce support for it
      * by default anymore, additionally DCO breaks with compression.
      *