diff options
| author | Bernhard Schmidt <berni@debian.org> | 2018-11-11 22:19:12 +0100 |
|---|---|---|
| committer | Bernhard Schmidt <berni@debian.org> | 2018-11-11 22:19:12 +0100 |
| commit | aef03811cf465cd8b464689e1a37fde2d8f090aa (patch) | |
| tree | dfbcac82b63a63adfe204caeb8df7967d5b347ca | |
| parent | 87c2fd4310e5b345102d7a4915dc5e3a65052305 (diff) | |
Cherry-Pick Upstream commit to fix Cipher mismatch on reconnect
Closes: #909430, #910937
| -rw-r--r-- | debian/patches/887-fix-ncp-on-reconnect.patch | 37 | ||||
| -rw-r--r-- | debian/patches/series | 1 |
2 files changed, 38 insertions, 0 deletions
diff --git a/debian/patches/887-fix-ncp-on-reconnect.patch b/debian/patches/887-fix-ncp-on-reconnect.patch new file mode 100644 index 0000000..d8a18af --- /dev/null +++ b/debian/patches/887-fix-ncp-on-reconnect.patch @@ -0,0 +1,37 @@ +From: Gert Döring <gert@greenie.muc.de>
+Subject: Fix NCP behaviour on TLS reconnect.
+Origin: upstream, https://community.openvpn.net/openvpn/changeset/13c05ca4e9da88ef30a778c16a97f0c0d767b448/
+Bug: https://community.openvpn.net/openvpn/ticket/887
+Bug-Debian: https://bugs.debian.org/909430
+
+Index: src/openvpn/push.c
+===================================================================
+--- a/src/openvpn/push.c (revision 5d5437710c282b1a60a892d1910160027a81db92)
++++ b/src/openvpn/push.c (revision 13c05ca4e9da88ef30a778c16a97f0c0d767b448)
+@@ -373,6 +373,7 @@
+ if (tls_peer_info_ncp_ver(peer_info) >= 2 && o->ncp_enabled)
+ {
+- /* if we have already created our key, we cannot change our own
+- * cipher, so disable NCP and warn = explain why
++ /* if we have already created our key, we cannot *change* our own
++ * cipher -> so log the fact and push the "what we have now" cipher
++ * (so the client is always told what we expect it to use)
+ */
+ const struct tls_session *session = &tls_multi->session[TM_ACTIVE];
+@@ -381,5 +382,6 @@
+ msg( M_INFO, "PUSH: client wants to negotiate cipher (NCP), but "
+ "server has already generated data channel keys, "
+- "ignoring client request" );
++ "re-sending previously negotiated cipher '%s'",
++ o->ciphername );
+ }
+ else
+@@ -389,6 +391,6 @@
+ char *push_cipher = string_alloc(o->ncp_ciphers, &o->gc);
+ o->ciphername = strtok(push_cipher, ":");
+- push_option_fmt(gc, push_list, M_USAGE, "cipher %s", o->ciphername);
+- }
++ }
++ push_option_fmt(gc, push_list, M_USAGE, "cipher %s", o->ciphername);
+ }
+ else if (o->ncp_enabled)
diff --git a/debian/patches/series b/debian/patches/series index 4357c69..1c79cca 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -13,3 +13,4 @@ CVE-2017-7520.patch CVE-2017-7521.patch CVE-2017-7521bis.patch 812-fix-push-options-digest-update.patch +887-fix-ncp-on-reconnect.patch |