security/tinc: list_ciphers.py no longer parses correcly the output of the openssl command

Hello,

Describe the bug

When creating a network with tinc (VPN -> tinc -> Configuration -> new network), the "Cipher" menu show only "None".

After investing a bit (thanks to #198), it seem that the python script "list_ciphers.py" (located at /usr/local/opnsense/scripts/OPNsense/Tinc/list_ciphers.py ) no longer parses correctly the output of /usr/bin/openssl enc -help .

What this command give me:

# /usr/bin/openssl enc -help
Usage: enc [options]
Valid options are:
 -help               Display this summary
 -ciphers            List ciphers
 -in infile          Input file
 -out outfile        Output file
 -pass val           Passphrase source
 -e                  Encrypt
 -d                  Decrypt
 -p                  Print the iv/key
 -P                  Print the iv/key and exit
 -v                  Verbose output
 -nopad              Disable standard block padding
 -salt               Use salt in the KDF (default)
 -nosalt             Do not use salt in the KDF
 -debug              Print debug info
 -a                  Base64 encode/decode, depending on encryption flag
 -base64             Same as option -a
 -A                  Used with -[base64|a] to specify base64 buffer as a single line -bufsize val        Buffer size
 -k val              Passphrase
 -kfile infile       Read passphrase from file
 -K val              Raw key, in hex
 -S val              Salt, in hex
 -iv val             IV in hex
 -md val             Use specified digest to create a key from the passphrase
 -iter +int          Specify the iteration count and force use of PBKDF2 -pbkdf2             Use password-based key derivation function 2
 -none               Don't encrypt
 -*                  Any supported cipher
 -rand val           Load the file(s) into the random number generator
 -writerand outfile  Write random data to the specified file
 -engine val         Use engine, possibly a hardware device

I changed a bit the python code to having something working, using the command /usr/bin/openssl enc -ciphers

# /usr/bin/openssl enc -ciphers
Supported ciphers:
-aes-128-cbc               -aes-128-cfb               -aes-128-cfb1
-aes-128-cfb8              -aes-128-ctr               -aes-128-ecb
-aes-128-ofb               -aes-192-cbc               -aes-192-cfb
-aes-192-cfb1              -aes-192-cfb8              -aes-192-ctr
-aes-192-ecb               -aes-192-ofb               -aes-256-cbc
-aes-256-cfb               -aes-256-cfb1              -aes-256-cfb8
-aes-256-ctr               -aes-256-ecb               -aes-256-ofb
-aes128                    -aes128-wrap               -aes192
-aes192-wrap               -aes256                    -aes256-wrap
-aria-128-cbc              -aria-128-cfb              -aria-128-cfb1
-aria-128-cfb8             -aria-128-ctr              -aria-128-ecb
-aria-128-ofb              -aria-192-cbc              -aria-192-cfb
-aria-192-cfb1             -aria-192-cfb8             -aria-192-ctr
-aria-192-ecb              -aria-192-ofb              -aria-256-cbc
-aria-256-cfb              -aria-256-cfb1             -aria-256-cfb8
-aria-256-ctr              -aria-256-ecb              -aria-256-ofb
-aria128                   -aria192                   -aria256
-bf                        -bf-cbc                    -bf-cfb
-bf-ecb                    -bf-ofb                    -blowfish
-camellia-128-cbc          -camellia-128-cfb          -camellia-128-cfb1
-camellia-128-cfb8         -camellia-128-ctr          -camellia-128-ecb
-camellia-128-ofb          -camellia-192-cbc          -camellia-192-cfb
-camellia-192-cfb1         -camellia-192-cfb8         -camellia-192-ctr
-camellia-192-ecb          -camellia-192-ofb          -camellia-256-cbc
-camellia-256-cfb          -camellia-256-cfb1         -camellia-256-cfb8
-camellia-256-ctr          -camellia-256-ecb          -camellia-256-ofb
-camellia128               -camellia192               -camellia256
-cast                      -cast-cbc                  -cast5-cbc
-cast5-cfb                 -cast5-ecb                 -cast5-ofb
-chacha20                  -des                       -des-cbc
-des-cfb                   -des-cfb1                  -des-cfb8
-des-ecb                   -des-ede                   -des-ede-cbc
-des-ede-cfb               -des-ede-ecb               -des-ede-ofb
-des-ede3                  -des-ede3-cbc              -des-ede3-cfb
-des-ede3-cfb1             -des-ede3-cfb8             -des-ede3-ecb
-des-ede3-ofb              -des-ofb                   -des3
-des3-wrap                 -desx                      -desx-cbc
-id-aes128-wrap            -id-aes128-wrap-pad        -id-aes192-wrap
-id-aes192-wrap-pad        -id-aes256-wrap            -id-aes256-wrap-pad
-id-smime-alg-CMS3DESwrap  -idea                      -idea-cbc
-idea-cfb                  -idea-ecb                  -idea-ofb
-rc2                       -rc2-128                   -rc2-40
-rc2-40-cbc                -rc2-64                    -rc2-64-cbc
-rc2-cbc                   -rc2-cfb                   -rc2-ecb
-rc2-ofb                   -rc4                       -rc4-40
-rc5-cbc                   -rc5-cfb                   -rc5-ecb
-rc5-ofb                   -seed                      -seed-cbc
-seed-cfb                  -seed-ecb                  -seed-ofb
-sm4                       -sm4-cbc                   -sm4-cfb
-sm4-ctr                   -sm4-ecb                   -sm4-ofb

I remplaced (l. 36)

p = Popen(['/usr/bin/openssl','enc', '-help'],stdin=PIPE, stdout=PIPE, stderr=PIPE, bufsize=-1)
output, error = p.communicate()

for line in error.decode().split('\n'):
    if line.find('Cipher Types') == 0:
        cipher_section = True
        continue
    if cipher_section:
        for item in line.split():
            if len(item) > 1:
                response[item[1:]] = item[1:]

by

import os
read = os.popen('/usr/bin/openssl enc -ciphers | tr -s " " | tr -s " " "\n"  | tail -n +3')


for line in read:
    line = line.rstrip("\n")
    response[line[1:]] = line[1:]

and it is working. That said I'm not sure it is the most beautiful fix.

To Reproduce

VPN -> tinc -> Configuration -> new network

# configctl tinc list ciphers
{"none":"None"}

#  /usr/local/opnsense/scripts/OPNsense/Tinc/list_ciphers.py 
{"none":"None"}

Expected behavior
Having the list of ciphers supported by openssl

What it is looking after my little fix:

# configctl tinc list ciphers 
{"aes-128-cbc":"aes-128-cbc","aes-128-cfb":"aes-128-cfb","aes-128-cfb1":"aes-128-cfb1","aes-128-cfb8":"aes-128-cfb8","aes-128-ctr":"aes-128-ctr","aes-128-ecb":"aes-128-ecb","aes-128-ofb":"aes-128-ofb","aes-192-cbc":"aes-192-cbc","aes-192-cfb":"aes-192-cfb","aes-192-cfb1":"aes-192-cfb1","aes-192-cfb8":"aes-192-cfb8","aes-192-ctr":"aes-192-ctr","aes-192-ecb":"aes-192-ecb","aes-192-ofb":"aes-192-ofb","aes-256-cbc":"aes-256-cbc","aes-256-cfb":"aes-256-cfb","aes-256-cfb1":"aes-256-cfb1","aes-256-cfb8":"aes-256-cfb8","aes-256-ctr":"aes-256-ctr","aes-256-ecb":"aes-256-ecb","aes-256-ofb":"aes-256-ofb","aes128":"aes128","aes128-wrap":"aes128-wrap","aes192":"aes192","aes192-wrap":"aes192-wrap","aes256":"aes256","aes256-wrap":"aes256-wrap","aria-128-cbc":"aria-128-cbc","aria-128-cfb":"aria-128-cfb","aria-128-cfb1":"aria-128-cfb1","aria-128-cfb8":"aria-128-cfb8","aria-128-ctr":"aria-128-ctr","aria-128-ecb":"aria-128-ecb","aria-128-ofb":"aria-128-ofb","aria-192-cbc":"aria-192-cbc","aria-192-cfb":"aria-192-cfb","aria-192-cfb1":"aria-192-cfb1","aria-192-cfb8":"aria-192-cfb8","aria-192-ctr":"aria-192-ctr","aria-192-ecb":"aria-192-ecb","aria-192-ofb":"aria-192-ofb","aria-256-cbc":"aria-256-cbc","aria-256-cfb":"aria-256-cfb","aria-256-cfb1":"aria-256-cfb1","aria-256-cfb8":"aria-256-cfb8","aria-256-ctr":"aria-256-ctr","aria-256-ecb":"aria-256-ecb","aria-256-ofb":"aria-256-ofb","aria128":"aria128","aria192":"aria192","aria256":"aria256","bf":"bf","bf-cbc":"bf-cbc","bf-cfb":"bf-cfb","bf-ecb":"bf-ecb","bf-ofb":"bf-ofb","blowfish":"blowfish","camellia-128-cbc":"camellia-128-cbc","camellia-128-cfb":"camellia-128-cfb","camellia-128-cfb1":"camellia-128-cfb1","camellia-128-cfb8":"camellia-128-cfb8","camellia-128-ctr":"camellia-128-ctr","camellia-128-ecb":"camellia-128-ecb","camellia-128-ofb":"camellia-128-ofb","camellia-192-cbc":"camellia-192-cbc","camellia-192-cfb":"camellia-192-cfb","camellia-192-cfb1":"camellia-192-cfb1","camellia-192-cfb8":"camellia-192-cfb8","camellia-192-ctr":"camellia-192-ctr","camellia-192-ecb":"camellia-192-ecb","camellia-192-ofb":"camellia-192-ofb","camellia-256-cbc":"camellia-256-cbc","camellia-256-cfb":"camellia-256-cfb","camellia-256-cfb1":"camellia-256-cfb1","camellia-256-cfb8":"camellia-256-cfb8","camellia-256-ctr":"camellia-256-ctr","camellia-256-ecb":"camellia-256-ecb","camellia-256-ofb":"camellia-256-ofb","camellia128":"camellia128","camellia192":"camellia192","camellia256":"camellia256","cast":"cast","cast-cbc":"cast-cbc","cast5-cbc":"cast5-cbc","cast5-cfb":"cast5-cfb","cast5-ecb":"cast5-ecb","cast5-ofb":"cast5-ofb","chacha20":"chacha20","des":"des","des-cbc":"des-cbc","des-cfb":"des-cfb","des-cfb1":"des-cfb1","des-cfb8":"des-cfb8","des-ecb":"des-ecb","des-ede":"des-ede","des-ede-cbc":"des-ede-cbc","des-ede-cfb":"des-ede-cfb","des-ede-ecb":"des-ede-ecb","des-ede-ofb":"des-ede-ofb","des-ede3":"des-ede3","des-ede3-cbc":"des-ede3-cbc","des-ede3-cfb":"des-ede3-cfb","des-ede3-cfb1":"des-ede3-cfb1","des-ede3-cfb8":"des-ede3-cfb8","des-ede3-ecb":"des-ede3-ecb","des-ede3-ofb":"des-ede3-ofb","des-ofb":"des-ofb","des3":"des3","des3-wrap":"des3-wrap","desx":"desx","desx-cbc":"desx-cbc","id-aes128-wrap":"id-aes128-wrap","id-aes128-wrap-pad":"id-aes128-wrap-pad","id-aes192-wrap":"id-aes192-wrap","id-aes192-wrap-pad":"id-aes192-wrap-pad","id-aes256-wrap":"id-aes256-wrap","id-aes256-wrap-pad":"id-aes256-wrap-pad","id-smime-alg-CMS3DESwrap":"id-smime-alg-CMS3DESwrap","idea":"idea","idea-cbc":"idea-cbc","idea-cfb":"idea-cfb","idea-ecb":"idea-ecb","idea-ofb":"idea-ofb","rc2":"rc2","rc2-128":"rc2-128","rc2-40":"rc2-40","rc2-40-cbc":"rc2-40-cbc","rc2-64":"rc2-64","rc2-64-cbc":"rc2-64-cbc","rc2-cbc":"rc2-cbc","rc2-cfb":"rc2-cfb","rc2-ecb":"rc2-ecb","rc2-ofb":"rc2-ofb","rc4":"rc4","rc4-40":"rc4-40","rc5-cbc":"rc5-cbc","rc5-cfb":"rc5-cfb","rc5-ecb":"rc5-ecb","rc5-ofb":"rc5-ofb","seed":"seed","seed-cbc":"seed-cbc","seed-cfb":"seed-cfb","seed-ecb":"seed-ecb","seed-ofb":"seed-ofb","sm4":"sm4","sm4-cbc":"sm4-cbc","sm4-cfb":"sm4-cfb","sm4-ctr":"sm4-ctr","sm4-ecb":"sm4-ecb","sm4-ofb":"sm4-ofb","none":"None"}

Environment

opnsense version:
OPNsense 20.7-amd64
FreeBSD 12.1-RELEASE-p7-HBSD
OpenSSL 1.1.1g 21 Apr 2020
os-tinc version: 1.5_1

I have no idea of the last version of opnsense / tinc plugin it was working last since it's a fresh installation of both.

[fichtner]

The script should use /usr/local/bin/openssl and I guess there on LibreSSL it’s still working. 20.7 changes /usr/bin/openssl from 1.0.2 to 1.1.1 so that might be the issue. On 20.1 OpenSSL flavour was already 1.1.1 at /usr/local/bin/openssl but then it didn’t matter because tinc just needed these values for itself. A bit confusing. 😊 @adschellvis will likely look into this soon. Thanks for the report! Cheers, Franco

…

On 12. Aug 2020, at 22:55, bergth ***@***.***> wrote:  Hello, Describe the bug When creating a network with tinc (VPN -> tinc -> Configuration -> new network), the "Cipher" menu show only "None". After investing a bit (thanks to #198), it seem that the python script "list_ciphers.py" (located at /usr/local/opnsense/scripts/OPNsense/Tinc/list_ciphers.py ) no longer parses correctly the output of /usr/bin/openssl enc -help . What this command give me: # /usr/bin/openssl enc -help Usage: enc [options] Valid options are: -help Display this summary -ciphers List ciphers -in infile Input file -out outfile Output file -pass val Passphrase source -e Encrypt -d Decrypt -p Print the iv/key -P Print the iv/key and exit -v Verbose output -nopad Disable standard block padding -salt Use salt in the KDF (default) -nosalt Do not use salt in the KDF -debug Print debug info -a Base64 encode/decode, depending on encryption flag -base64 Same as option -a -A Used with -[base64|a] to specify base64 buffer as a single line -bufsize val Buffer size -k val Passphrase -kfile infile Read passphrase from file -K val Raw key, in hex -S val Salt, in hex -iv val IV in hex -md val Use specified digest to create a key from the passphrase -iter +int Specify the iteration count and force use of PBKDF2 -pbkdf2 Use password-based key derivation function 2 -none Don't encrypt -* Any supported cipher -rand val Load the file(s) into the random number generator -writerand outfile Write random data to the specified file -engine val Use engine, possibly a hardware device I changed a bit the python code to having something working, using the command /usr/bin/openssl enc -ciphers # /usr/bin/openssl enc -ciphers Supported ciphers: -aes-128-cbc -aes-128-cfb -aes-128-cfb1 -aes-128-cfb8 -aes-128-ctr -aes-128-ecb -aes-128-ofb -aes-192-cbc -aes-192-cfb -aes-192-cfb1 -aes-192-cfb8 -aes-192-ctr -aes-192-ecb -aes-192-ofb -aes-256-cbc -aes-256-cfb -aes-256-cfb1 -aes-256-cfb8 -aes-256-ctr -aes-256-ecb -aes-256-ofb -aes128 -aes128-wrap -aes192 -aes192-wrap -aes256 -aes256-wrap -aria-128-cbc -aria-128-cfb -aria-128-cfb1 -aria-128-cfb8 -aria-128-ctr -aria-128-ecb -aria-128-ofb -aria-192-cbc -aria-192-cfb -aria-192-cfb1 -aria-192-cfb8 -aria-192-ctr -aria-192-ecb -aria-192-ofb -aria-256-cbc -aria-256-cfb -aria-256-cfb1 -aria-256-cfb8 -aria-256-ctr -aria-256-ecb -aria-256-ofb -aria128 -aria192 -aria256 -bf -bf-cbc -bf-cfb -bf-ecb -bf-ofb -blowfish -camellia-128-cbc -camellia-128-cfb -camellia-128-cfb1 -camellia-128-cfb8 -camellia-128-ctr -camellia-128-ecb -camellia-128-ofb -camellia-192-cbc -camellia-192-cfb -camellia-192-cfb1 -camellia-192-cfb8 -camellia-192-ctr -camellia-192-ecb -camellia-192-ofb -camellia-256-cbc -camellia-256-cfb -camellia-256-cfb1 -camellia-256-cfb8 -camellia-256-ctr -camellia-256-ecb -camellia-256-ofb -camellia128 -camellia192 -camellia256 -cast -cast-cbc -cast5-cbc -cast5-cfb -cast5-ecb -cast5-ofb -chacha20 -des -des-cbc -des-cfb -des-cfb1 -des-cfb8 -des-ecb -des-ede -des-ede-cbc -des-ede-cfb -des-ede-ecb -des-ede-ofb -des-ede3 -des-ede3-cbc -des-ede3-cfb -des-ede3-cfb1 -des-ede3-cfb8 -des-ede3-ecb -des-ede3-ofb -des-ofb -des3 -des3-wrap -desx -desx-cbc -id-aes128-wrap -id-aes128-wrap-pad -id-aes192-wrap -id-aes192-wrap-pad -id-aes256-wrap -id-aes256-wrap-pad -id-smime-alg-CMS3DESwrap -idea -idea-cbc -idea-cfb -idea-ecb -idea-ofb -rc2 -rc2-128 -rc2-40 -rc2-40-cbc -rc2-64 -rc2-64-cbc -rc2-cbc -rc2-cfb -rc2-ecb -rc2-ofb -rc4 -rc4-40 -rc5-cbc -rc5-cfb -rc5-ecb -rc5-ofb -seed -seed-cbc -seed-cfb -seed-ecb -seed-ofb -sm4 -sm4-cbc -sm4-cfb -sm4-ctr -sm4-ecb -sm4-ofb I remplaced (l. 36) p = Popen(['/usr/bin/openssl','enc', '-help'],stdin=PIPE, stdout=PIPE, stderr=PIPE, bufsize=-1) output, error = p.communicate() for line in error.decode().split('\n'): if line.find('Cipher Types') == 0: cipher_section = True continue if cipher_section: for item in line.split(): if len(item) > 1: response[item[1:]] = item[1:] by import os read = os.popen('/usr/bin/openssl enc -ciphers | tr -s " " | tr -s " " "\n" | tail -n +3') for line in read: line = line.rstrip("\n") response[line[1:]] = line[1:] and it is working. That said I'm not sure it is the most beautiful fix. To Reproduce VPN -> tinc -> Configuration -> new network # configctl tinc list ciphers {"none":"None"} # /usr/local/opnsense/scripts/OPNsense/Tinc/list_ciphers.py {"none":"None"} Expected behavior Having the list of ciphers supported by openssl What it is looking after my little fix: # configctl tinc list ciphers {"aes-128-cbc":"aes-128-cbc","aes-128-cfb":"aes-128-cfb","aes-128-cfb1":"aes-128-cfb1","aes-128-cfb8":"aes-128-cfb8","aes-128-ctr":"aes-128-ctr","aes-128-ecb":"aes-128-ecb","aes-128-ofb":"aes-128-ofb","aes-192-cbc":"aes-192-cbc","aes-192-cfb":"aes-192-cfb","aes-192-cfb1":"aes-192-cfb1","aes-192-cfb8":"aes-192-cfb8","aes-192-ctr":"aes-192-ctr","aes-192-ecb":"aes-192-ecb","aes-192-ofb":"aes-192-ofb","aes-256-cbc":"aes-256-cbc","aes-256-cfb":"aes-256-cfb","aes-256-cfb1":"aes-256-cfb1","aes-256-cfb8":"aes-256-cfb8","aes-256-ctr":"aes-256-ctr","aes-256-ecb":"aes-256-ecb","aes-256-ofb":"aes-256-ofb","aes128":"aes128","aes128-wrap":"aes128-wrap","aes192":"aes192","aes192-wrap":"aes192-wrap","aes256":"aes256","aes256-wrap":"aes256-wrap","aria-128-cbc":"aria-128-cbc","aria-128-cfb":"aria-128-cfb","aria-128-cfb1":"aria-128-cfb1","aria-128-cfb8":"aria-128-cfb8","aria-128-ctr":"aria-128-ctr","aria-128-ecb":"aria-128-ecb","aria-128-ofb":"aria-128-ofb","aria-192-cbc":"aria-192-cbc","aria-192-cfb":"aria-192-cfb","aria-192-cfb1":"aria-192-cfb1","aria-192-cfb8":"aria-192-cfb8","aria-192-ctr":"aria-192-ctr","aria-192-ecb":"aria-192-ecb","aria-192-ofb":"aria-192-ofb","aria-256-cbc":"aria-256-cbc","aria-256-cfb":"aria-256-cfb","aria-256-cfb1":"aria-256-cfb1","aria-256-cfb8":"aria-256-cfb8","aria-256-ctr":"aria-256-ctr","aria-256-ecb":"aria-256-ecb","aria-256-ofb":"aria-256-ofb","aria128":"aria128","aria192":"aria192","aria256":"aria256","bf":"bf","bf-cbc":"bf-cbc","bf-cfb":"bf-cfb","bf-ecb":"bf-ecb","bf-ofb":"bf-ofb","blowfish":"blowfish","camellia-128-cbc":"camellia-128-cbc","camellia-128-cfb":"camellia-128-cfb","camellia-128-cfb1":"camellia-128-cfb1","camellia-128-cfb8":"camellia-128-cfb8","camellia-128-ctr":"camellia-128-ctr","camellia-128-ecb":"camellia-128-ecb","camellia-128-ofb":"camellia-128-ofb","camellia-192-cbc":"camellia-192-cbc","camellia-192-cfb":"camellia-192-cfb","camellia-192-cfb1":"camellia-192-cfb1","camellia-192-cfb8":"camellia-192-cfb8","camellia-192-ctr":"camellia-192-ctr","camellia-192-ecb":"camellia-192-ecb","camellia-192-ofb":"camellia-192-ofb","camellia-256-cbc":"camellia-256-cbc","camellia-256-cfb":"camellia-256-cfb","camellia-256-cfb1":"camellia-256-cfb1","camellia-256-cfb8":"camellia-256-cfb8","camellia-256-ctr":"camellia-256-ctr","camellia-256-ecb":"camellia-256-ecb","camellia-256-ofb":"camellia-256-ofb","camellia128":"camellia128","camellia192":"camellia192","camellia256":"camellia256","cast":"cast","cast-cbc":"cast-cbc","cast5-cbc":"cast5-cbc","cast5-cfb":"cast5-cfb","cast5-ecb":"cast5-ecb","cast5-ofb":"cast5-ofb","chacha20":"chacha20","des":"des","des-cbc":"des-cbc","des-cfb":"des-cfb","des-cfb1":"des-cfb1","des-cfb8":"des-cfb8","des-ecb":"des-ecb","des-ede":"des-ede","des-ede-cbc":"des-ede-cbc","des-ede-cfb":"des-ede-cfb","des-ede-ecb":"des-ede-ecb","des-ede-ofb":"des-ede-ofb","des-ede3":"des-ede3","des-ede3-cbc":"des-ede3-cbc","des-ede3-cfb":"des-ede3-cfb","des-ede3-cfb1":"des-ede3-cfb1","des-ede3-cfb8":"des-ede3-cfb8","des-ede3-ecb":"des-ede3-ecb","des-ede3-ofb":"des-ede3-ofb","des-ofb":"des-ofb","des3":"des3","des3-wrap":"des3-wrap","desx":"desx","desx-cbc":"desx-cbc","id-aes128-wrap":"id-aes128-wrap","id-aes128-wrap-pad":"id-aes128-wrap-pad","id-aes192-wrap":"id-aes192-wrap","id-aes192-wrap-pad":"id-aes192-wrap-pad","id-aes256-wrap":"id-aes256-wrap","id-aes256-wrap-pad":"id-aes256-wrap-pad","id-smime-alg-CMS3DESwrap":"id-smime-alg-CMS3DESwrap","idea":"idea","idea-cbc":"idea-cbc","idea-cfb":"idea-cfb","idea-ecb":"idea-ecb","idea-ofb":"idea-ofb","rc2":"rc2","rc2-128":"rc2-128","rc2-40":"rc2-40","rc2-40-cbc":"rc2-40-cbc","rc2-64":"rc2-64","rc2-64-cbc":"rc2-64-cbc","rc2-cbc":"rc2-cbc","rc2-cfb":"rc2-cfb","rc2-ecb":"rc2-ecb","rc2-ofb":"rc2-ofb","rc4":"rc4","rc4-40":"rc4-40","rc5-cbc":"rc5-cbc","rc5-cfb":"rc5-cfb","rc5-ecb":"rc5-ecb","rc5-ofb":"rc5-ofb","seed":"seed","seed-cbc":"seed-cbc","seed-cfb":"seed-cfb","seed-ecb":"seed-ecb","seed-ofb":"seed-ofb","sm4":"sm4","sm4-cbc":"sm4-cbc","sm4-cfb":"sm4-cfb","sm4-ctr":"sm4-ctr","sm4-ecb":"sm4-ecb","sm4-ofb":"sm4-ofb","none":"None"} Environment opnsense version: OPNsense 20.7-amd64 FreeBSD 12.1-RELEASE-p7-HBSD OpenSSL 1.1.1g 21 Apr 2020 os-tinc version: 1.5_1 I have no idea of the last version of opnsense / tinc plugin it was working last since it's a fresh installation of both. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.

[AdSchellevis]

@bergth can you try 2071e23?

[fichtner]

Does this also work on LibreSSL? I would suppose it uses the old syntax still.

[AdSchellevis]

I'm not 100% sure, I expect both support the -ciphers, the extended help seemed to be something of the past.

[fichtner]

Just confirmed LibreSSL outputs no ciphers, probably using the old format still.