From 4b2b6005090235b1a2b4cff0b9afdbeaa3812e5a Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 16 Mar 2023 09:37:06 +0100
Subject: [PATCH] VPN/OpenVPN - reintroduce "cipher" keyword for older clients.
 closes https://github.com/opnsense/core/issues/6420 partly reverts
 https://github.com/opnsense/core/commit/1e28d5b352e3aeb9a4e94720595e5e82bf83503b
 , only remove "none" cipher for now and assure its not being set by default
 for new connections.

---
 src/etc/inc/plugins.inc.d/openvpn.inc | 2 +-
 src/www/vpn_openvpn_client.php        | 4 ++--
 src/www/vpn_openvpn_server.php        | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/etc/inc/plugins.inc.d/openvpn.inc b/src/etc/inc/plugins.inc.d/openvpn.inc
index f0a3fbc16..c74abd2e1 100644
--- a/src/etc/inc/plugins.inc.d/openvpn.inc
+++ b/src/etc/inc/plugins.inc.d/openvpn.inc
@@ -528,7 +528,7 @@ function openvpn_reconfigure($mode, $settings, $device_only = false)
     $conf .= "persist-key\n";
     $conf .= "proto {$proto}\n";
     if (!empty($cipher) && $cipher != 'none') {
-        $conf .= "data-ciphers-fallback {$cipher}\n";
+        $conf .= "cipher {$cipher}\n";
     }
     $conf .= "auth {$digest}\n";
     $conf .= "up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup\n";
diff --git a/src/www/vpn_openvpn_client.php b/src/www/vpn_openvpn_client.php
index 77d9ffe59..4af46aacc 100644
--- a/src/www/vpn_openvpn_client.php
+++ b/src/www/vpn_openvpn_client.php
@@ -916,7 +916,7 @@ $( document ).ready(function() {
             </td>
           </tr>
           <tr>
-            <td><a id="help_for_crypto" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Encryption algorithm (fallback)"); ?></td>
+            <td><a id="help_for_crypto" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Encryption algorithm (deprecated)"); ?></td>
             <td>
               <select name="crypto" class="form-control">
 <?php
@@ -927,7 +927,7 @@ $( document ).ready(function() {
               endforeach; ?>
               </select>
               <div class="hidden" data-for="help_for_crypto">
-                <?= gettext('Fallback cipher selection in case none of the default data-ciphers is supported by the client. Only preserved for backwards compatibility reasons.') ?>
+                <?= gettext('Cipher selection for older clients. Only preserved for backwards compatibility reasons.') ?>
               </div>
             </td>
           </tr>
diff --git a/src/www/vpn_openvpn_server.php b/src/www/vpn_openvpn_server.php
index bdd6e278e..f6f404ed5 100644
--- a/src/www/vpn_openvpn_server.php
+++ b/src/www/vpn_openvpn_server.php
@@ -992,7 +992,7 @@ $( document ).ready(function() {
                       </td>
                     </tr>
                     <tr>
-                      <td><a id="help_for_crypto" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Encryption algorithm (fallback)"); ?></td>
+                      <td><a id="help_for_crypto" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Encryption algorithm (deprecated)"); ?></td>
                       <td>
                         <select name="crypto" class="selectpicker">
 <?php
@@ -1005,7 +1005,7 @@ $( document ).ready(function() {
                         endforeach; ?>
                         </select>
                         <div class="hidden" data-for="help_for_crypto">
-                          <?= gettext('Fallback cipher selection in case none of the default data-ciphers is supported by the client. Only preserved for backwards compatibility reasons.') ?>
+                          <?= gettext('Cipher selection for older clients. Only preserved for backwards compatibility reasons.') ?>
                         </div>
                       </td>
                     </tr>