Avoid sending --cipher to clients not supporting NCP

The NCP rework introduced a regression of sending a --cipher command as part of the push message when the client does not support NCP. This is is more a cosmetic issue since the client will log that as warning in the log and ignore it. Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20200717134739.21168-7-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20437.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
2026-05-28 04:03:29 -04:00 · 2020-07-17 15:47:37 +02:00 · 2020-07-17 15:47:37 +02:00 · 4b59e2644a
commit 4b59e2644a
parent e6c86b24db
1 changed files with 8 additions and 2 deletions
--- a/src/openvpn/push.c
+++ b/src/openvpn/push.c
@ -472,9 +472,15 @@ prepare_push_reply(struct context *c, struct gc_arena *gc,

    /*
     * Push the selected cipher, at this point the cipher has been
-     * already negotiated and been fixed
+     * already negotiated and been fixed.
+     *
+     * We avoid pushing the cipher to clients not supporting NCP
+     * to avoid error messages in their logs
     */
-    push_option_fmt(gc, push_list, M_USAGE, "cipher %s", o->ciphername);
+    if (tls_peer_supports_ncp(c->c2.tls_multi->peer_info))
+    {
+        push_option_fmt(gc, push_list, M_USAGE, "cipher %s", o->ciphername);
+    }

    return true;
 }