regression: can't set proper cipher after upgrade to 1.10.2
After the upgrade from 1.10.0 to 1.10.2, trying to establish an OpenVPN connection fails with the following error in the log:
Nov 17 10:16:05 pluto nm-openvpn[88722]: AUTH: Received control message: AUTH_FAILED,Data channel cipher negotiation failed (no shared cipher)
Nov 17 10:16:05 pluto nm-openvpn[88722]: SIGUSR1[soft,auth-failure] received, process restarting
The connection profile used
[connection]
id=XXX
uuid=a2c56470-0db8-417d-94c9-d32c5ffedc83
type=vpn
permissions=
timestamp=1530874147
[vpn]
auth=SHA384
ca=/etc/ssl/certs/T-TeleSec_GlobalRoot_Class_2.pem
cipher=AES-256-CBC
comp-lzo=no-by-default
connection-type=password
dev=tun
dev-type=tun
password-flags=1
port=1194
remote=A.B.C.D
username=XXXX
verify-x509-name=XXXX
service-type=org.freedesktop.NetworkManager.openvpn
[ipv4]
dns-search=
method=auto
[ipv6]
addr-gen-mode=stable-privacy
dns-search=
ip6-privacy=0
method=auto
git bisect shows commit 020ab0c4 as the first faulty one:
Author: Thomas Haller <thaller@redhat.com>
Date: Mon Oct 3 21:29:22 2022 +0200
service: automatically add the "cipher" to the "data-ciphers"
https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/-/merge_requests/46#note_1494723
Fixes: 963b71a83ee1 ('Add support for OpenVPN's --data-ciphers')
src/nm-openvpn-service.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
A similar bug report was reported downstream at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024275 His error message is:
nm-openvpn[]: [<vpn name>] Peer Connection Initiated with [AF_INET]<IP>:<PORT>
nm-openvpn[]: OPTIONS ERROR: failed to negotiate cipher with server. Add the server's cipher ('AES-256-CBC') to --data-ciphers (currently 'AES-256-GCM') if you want to connect to this server.
nm-openvpn[]: ERROR: Failed to apply push options
nm-openvpn[]: Failed to open tun/tap interface
nm-openvpn[]: SIGUSR1[soft,process-push-msg-failed] received, process restarting
Edited by Michael Biebl