Ubuntu
network-manager-openvpn package

Data ciphers are not properly configured with openvpn 2.6

Bug #1991493 reported by Marco Trevisan (Treviño) on 2022-10-02

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	NetworkManager-OpenVPN	New	Unknown	auto-gitlab.gnome.org-gnome-networkmanager-openvpn-- #97
	network-manager-openvpn (Ubuntu)	Fix Released	High	Nathan Teodosio	Ubuntu ubuntu-22.10

Bug Description

OPTIONS ERROR: failed to negotiate cipher with server. Add the server's cipher ('AES-256-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305') if you want to connect to this server.

So basically some servers won't be supported anymore because unsupported '--cipher' option is used instead of '--data-ciphers'

A fix is available at https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/-/merge_requests/46

Tags:

Marco Trevisan (Treviño) (3v1n0) on 2022-10-02

summary:

- Data ciphers are not properly configured with opevpn 2.6
+ Data ciphers are not properly configured with openvpn 2.6

Bug Watch Updater (bug-watch-updater) on 2022-10-02

Changed in network-manager-openvpn:
status:	Unknown → New

Revision history for this message

Nathan Teodosio (nteodosio) wrote on 2022-10-04:

nmo.diff Edit (13.4 KiB, text/plain)

Cherry-pick of the commits mentioned by https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/-/merge_requests/46#note_1566186.

Revision history for this message

Ubuntu Foundations Team Bug Bot (crichton) wrote on 2022-10-04:

The attachment "nmo.diff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags:

added: patch

Revision history for this message

Sebastien Bacher (seb128) wrote on 2022-10-05:

Thanks Nathan, I've added the bug reference to the changelog and uploaded

Changed in network-manager-openvpn (Ubuntu):
assignee:	Jeremy Bicha (jbicha) → Nathan Teodosio (nteodosio)
status:	Triaged → Fix Committed

Nathan Teodosio (nteodosio) on 2022-10-06

Changed in network-manager-openvpn (Ubuntu):
status:	Fix Committed → In Progress

Revision history for this message

Nathan Teodosio (nteodosio) wrote on 2022-10-06: Patch v2

nmo2.diff Edit (14.0 KiB, text/x-patch; charset=UTF-8; name="nmo2.diff")

The last patch fails to build, I must have only tried to build the
source package with debuild -S, sorry.

This one was built successfully with debuild.

Nathan Teodosio (nteodosio) on 2022-10-06

Changed in network-manager-openvpn (Ubuntu):
status:	In Progress → Triaged

Revision history for this message

Sebastien Bacher (seb128) wrote on 2022-10-10:

Thanks, reuploaded. I've added a new changelog entry since it was already uploaded and we can't reuse the same version

Changed in network-manager-openvpn (Ubuntu):
status:	Triaged → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2022-10-10:

This bug was fixed in the package network-manager-openvpn - 1.10.0-1ubuntu2

---------------
network-manager-openvpn (1.10.0-1ubuntu2) kinetic; urgency=medium

* patches/support-data-ciphers.patch:
- updated to fix a build issue

-- Nathan Pratta Teodosio <email address hidden> Mon, 10 Oct 2022 13:37:05 +0200

Changed in network-manager-openvpn (Ubuntu):
status:	Fix Committed → Fix Released

Revision history for this message

Thomas M Steenholdt (tmus) wrote on 2022-10-10:

This update makes it possible to connect to VPNs where the "cipher" (now "data-ciphers") option is needed, as long as the connection is manually modified. This part works great.

The Gnome settings interface however, still looks for the "cipher" option, so this part does not work. The settings interface cannot see the specified data-ciphers setting and trying to set it from the interface, sets the cipher option instead, rendering the connection unusable.