https://bugs.gentoo.org/909361 https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/-/commit/a790374f4c2e9e1657cbb8470357d72d4bd87916 From a790374f4c2e9e1657cbb8470357d72d4bd87916 Mon Sep 17 00:00:00 2001 From: Beniamino Galvani Date: Mon, 28 Nov 2022 17:31:38 +0100 Subject: [PATCH] Revert "service: automatically add the "cipher" to the "data-ciphers"" `--data-ciphers` has a default value of `AES-256-GCM:AES-128-GCM`. If we overwrite it with the value of `--cipher` we are diverging from openvpn behavior and this can cause authentication problems. https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/-/issues/112 This reverts commit 020ab0c4b872fa5415ed1a5e682acb3343c7b9f3. --- a/src/nm-openvpn-service.c +++ b/src/nm-openvpn-service.c @@ -1676,22 +1676,6 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin, args_add_vpn_data (args, s_vpn, NM_OPENVPN_KEY_DATA_CIPHERS, "--data-ciphers"); - if (nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_CIPHER) && - !nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_DATA_CIPHERS) && - openvpn_binary_detect_version_cached (openvpn_binary, &openvpn_binary_version) >= - nmovpn_version_encode (2, 5, 0)) { - /* Since 2.5, openvpn will warn if "cipher" is set but "data-ciphers" doesn't - * contain the cipher. It still used to automatically add the cipher. - * Since 2.6, the cipher is no longer automatically added, which is unlikely - * what the user wants. - * - * We automatically add it, so if the user only sets cipher (e.g. when - * having an old profile or targeting 2.4) it still works. So ciphers - * means something slightly different for the plugin, unless you set - * data-ciphers to anything. */ - args_add_vpn_data (args, s_vpn, NM_OPENVPN_KEY_CIPHER, "--data-ciphers"); - } - args_add_vpn_data (args, s_vpn, NM_OPENVPN_KEY_TLS_CIPHER, "--tls-cipher"); tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_KEYSIZE); -- GitLab