From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4cWt8T1n1sz2yrn for ; Wed, 24 Sep 2025 10:18:01 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R13" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4cWt8P5kbtz2xQW for ; Wed, 24 Sep 2025 10:17:57 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4cWt8N72nfz3Ws; Wed, 24 Sep 2025 10:17:56 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1758709077; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=7mxtwQumM/kBhcveJWQG0LCGy7/DwCJUrlI36/wJd+k=; b=TYIUfQc/1hEIipqZGnSBtl7uCinis9FWGo/vhIuk9k++FB5PXDXT4MPCm6P43Zu8kROQVs Z5afB8uGulQgkSBA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1758709077; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=7mxtwQumM/kBhcveJWQG0LCGy7/DwCJUrlI36/wJd+k=; b=X6GxhgARpOqUZAz3QgLk9RcRME9nFVjH35V8kjPRUW8Miq5KnQvONBwVEtB3Yn3UcDnelj z8RagMjvcseIBWTf3r+9jMEXFjqHNVzIYYQYov54ZdPDbRSW2wehft98IjKND+duUxlgpS JOeRg3qmu/MvpZZmmK+aN2uCXyofmKCJqIhWmNM+A7EAXWBb1c0ihECMeImN0uGa3NSquf 5l8bs/F5gcylKqfQHkdKBeLukvegJ7pQeUm+gi69uwTOCEtcmFVDLHYb6x+z24rK/dT0i/ aaGGX8+LykSPKzieZlm3gtg0Sc4J3++o7lZeJJzT+drNWxSesBbd7S/VyG2ucw== Content-Type: text/plain; charset=utf-8 Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: Mime-Version: 1.0 Subject: Re: [RFC PATCH] ovpnmain.cgi: Replace the ncp-disable with data-ciphers server entry From: Michael Tremer In-Reply-To: <20250828102908.2602-1-adolf.belka@ipfire.org> Date: Wed, 24 Sep 2025 11:17:56 +0100 Cc: development@lists.ipfire.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <20250828102908.2602-1-adolf.belka@ipfire.org> To: Adolf Belka Hello Adolf, Sorry for digging this up so late=E2=80=A6 You are right that we cannot use ncp-disable at all any more with newer = clients. However, there is no chance for a user to disable NCP on the = server side any more. So we can simply remove the case of not having any = ciphers set because that should never ever exist. I added this here: = https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dcommitdiff;h=3Dd6ec7e0bf08a= 00c734c9e7b5f7c517ef82029afe I had this in the back of my mind that this needed fixing, but I = completely forgot that you sent this. You still sent me down the right way. -Michael > On 28 Aug 2025, at 11:29, Adolf Belka wrote: >=20 > - If a backup from before openvpn-2.6 is restored then the server.conf = file has > ncp-disable still in it. Also data-ciphers in server.conf and = DATACIPHERS in settings > will not be present. > - The existing code checks if DATACIPHERS is empty and if it is then = it puts ncp-disable > into server.conf which we no longer need to have. > - This patch changes this code section so that if DATACIPHERS is empty = then it has the > default ciphers added into server.conf and then also updates the = DATACIPHERS entry > in the settings file. > - I have made this an RFC patch as the patch does work but it might = not be the correct > or best way to go about this. > - If it is accepted then the previous patches I did for backup.pl and = update.sh can be > reverted. > - The change was tested out with the reverted backup.pl and all old = backup versions > were successfully restored correctly and worked as expected. Also = tested out the > change with a backup from CU197 and that restore also worked = correctly. >=20 > Tested-by: Adolf Belka > Signed-off-by: Adolf Belka > --- > html/cgi-bin/ovpnmain.cgi | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) >=20 > diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi > index dfe7f8ad5..8c908d725 100644 > --- a/html/cgi-bin/ovpnmain.cgi > +++ b/html/cgi-bin/ovpnmain.cgi > @@ -291,8 +291,14 @@ sub writeserverconf { > print CONF "status $RW_STATUS 30\n"; >=20 > # Cryptography > + > + # Previous ncp-disable server conf will have an empty DATACIPHERS = entry > + # This will occur with restores from prior to OpenVPN-2.6 > + # Replace the empty DATACIPHERS entry with the default value > if ($vpnsettings{'DATACIPHERS'} eq '') { > - print CONF "ncp-disable\n"; > + print CONF "data-ciphers " . = "AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305" . "\n"; > + $vpnsettings{'DATACIPHERS'} =3D = "AES-256-GCM|AES-128-GCM|CHACHA20-POLY1305"; > + &General::writehash("${General::swroot}/ovpn/settings", = \%vpnsettings); > } else { > print CONF "data-ciphers " . $vpnsettings{'DATACIPHERS'} =3D~ = s/\|/:/gr . "\n"; > } > --=20 > 2.51.0 >=20 >=20