How does tinc handle "unknown cipher"?

Fufu Fang fangfufu2003 at gmail.com
Thu Mar 5 06:10:44 CET 2020


Hi, 
So my Debian machines are all using the follow cipher + digest: 
Cipher = chacha20-poly1305
Digest = blake2b512

However my OpenWRT router does not have chacha20-poly1305 and
blake2b512 in its SSL library, so it uses the following: 
Cipher = aes-128-cbc
Digest = sha512

I am a bit surprised that the router's tinc manages to talk to Debian's
tinc, when I set a cipher suite that the router's SSL library does not
recognise. 

I looked at the log, it triggers this line:
https://github.com/gsliepen/tinc/blob/master/src/protocol_auth.c#L297

I am just wondering, what happens after metakey_h() returns false? Does
tinc simply fall bacck to a more common cipher? Do the two clients
neogiate what to fallback to? 

FF



More information about the tinc mailing list