OpenVPN CLI-option: T6571: rename ncp-ciphers with data-ciphers (backport #3823)

[mergify]

Change Summary

Rename ncp-ciphers with data-ciphers. This option was called --ncp-ciphers in OpenVPN 2.4 but has been renamed to --data-ciphers in OpenVPN 2.5 to more accurately reflect its meaning.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Code style update (formatting, renaming)
• Refactoring (no functional changes)
• Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
• Other (please describe):

Related Task(s)

https://vyos.dev/T6571

Related PR(s)

Component(s) name

OpenVPN

Proposed changes

Previous format:

vyos@testing# set int openvpn vtun10 encryption ncp-ciphers
Possible completions:
   none                 Disable encryption
   3des                 DES algorithm with triple encryption
   aes128               AES algorithm with 128-bit key CBC
   aes128gcm            AES algorithm with 128-bit key GCM

New name "data-ciphers":

vyos@testing# set int openvpn vtun10 encryption data-ciphers
Possible completions:
   none                 Disable encryption
   3des                 DES algorithm with triple encryption
   aes128               AES algorithm with 128-bit key CBC
   aes128gcm            AES algorithm with 128-bit key GCM

How to test

Run tab to see the completion help with this command "set int openvpn vtun10 encryption"

set int openvpn vtun1 encryption
Possible completions:
   cipher               Standard Data Encryption Algorithm
+  data-ciphers          Cipher negotiation list for use in server or client mode

Smoketest result

vyos@testing:/usr/libexec/vyos/tests/smoke/cli$ sudo systemctl stop vyos-configd
vyos@testing:/usr/libexec/vyos/tests/smoke/cli$ ./test_interfaces_openvpn.py    test_openvpn_client_interfaces (__main__.TestInterfacesOpenVPN.test_openvpn_client_interfaces) ... ERROR
test_openvpn_client_verify (__main__.TestInterfacesOpenVPN.test_openvpn_client_verify) ... ok
test_openvpn_options (__main__.TestInterfacesOpenVPN.test_openvpn_options) ... ok
test_openvpn_server_subnet_topology (__main__.TestInterfacesOpenVPN.test_openvpn_server_subnet_topology) ... ok
test_openvpn_server_verify (__main__.TestInterfacesOpenVPN.test_openvpn_server_verify) ... ok
test_openvpn_site2site_interfaces_tun (__main__.TestInterfacesOpenVPN.test_openvpn_site2site_interfaces_tun) ... ok
test_openvpn_site2site_verify (__main__.TestInterfacesOpenVPN.test_openvpn_site2site_verify) ... ok

======================================================================
ERROR: test_openvpn_client_interfaces (__main__.TestInterfacesOpenVPN.test_openvpn_client_interfaces)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/usr/libexec/vyos/tests/smoke/cli/./test_interfaces_openvpn.py", line 213, in test_openvpn_client_interfaces
    self.cli_commit()
  File "/usr/libexec/vyos/tests/smoke/cli/base_vyostest_shim.py", line 83, in cli_commit
    self._session.commit()
  File "/usr/lib/python3/dist-packages/vyos/configsession.py", line 210, in commit
    out = self.__run_command([COMMIT])
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/vyos/configsession.py", line 147, in __run_command
    raise ConfigSessionError(output)
vyos.configsession.ConfigSessionError: [ pki ]
ConfigError('CA certificates are not a valid chain')

[[pki]] failed
[ interfaces openvpn vtun10 ]
CA certificates are not a valid chain

[[interfaces openvpn vtun10]] failed
Commit failed


----------------------------------------------------------------------
Ran 7 tests in 235.023s

FAILED (errors=1)

Checklist:

• I have read the CONTRIBUTING document
• I have linked this PR to one or more Phabricator Task(s)
• I have run the components SMOKETESTS if applicable
• My commit headlines contain a valid Task id
• My change requires a change to the documentation
• I have updated the documentation accordingly

---

This is an automatic backport of pull request #3823 done by [Mergify](https://mergify.com).

[github-actions]

❌
PR title 'OpenVPN CLI-option: T6571: rename ncp-ciphers with data-ciphers (backport #3823)' does not match the required format!. Valid title example: T99999: make IPsec secure

[sever-sever]

Tests

vyos@r15:~$ 
vyos@r15:~$ /usr/libexec/vyos/tests/smoke/cli/test_interfaces_openvpn.py
test_openvpn_client_interfaces (__main__.TestInterfacesOpenVPN.test_openvpn_client_interfaces) ... ok
test_openvpn_client_verify (__main__.TestInterfacesOpenVPN.test_openvpn_client_verify) ... 
Cannot specify "local-port" in client mode


Cannot specify "local-host" in client mode


Must specify "remote-host" in client mode


Must specify "remote-host" in client mode


Cannot specify "tls dh-params" in client mode


Must specify only one of "shared-secret-key" and "tls"


Must specify "tls" for server and client modes


Must specify only one of "shared-secret-key" and "tls"


Password for authentication is missing

ok
test_openvpn_options (__main__.TestInterfacesOpenVPN.test_openvpn_options) ... 
DEPRECATION WARNING: OpenVPN shared-secret support will be removed in
future VyOS versions. Please migrate your site-to-site tunnels to TLS.
You can use self-signed certificates with peer fingerprint
verification, consult the documentation for details.


DEPRECATION WARNING: OpenVPN shared-secret support will be removed in
future VyOS versions. Please migrate your site-to-site tunnels to TLS.
You can use self-signed certificates with peer fingerprint
verification, consult the documentation for details.


DEPRECATION WARNING: OpenVPN shared-secret support will be removed in
future VyOS versions. Please migrate your site-to-site tunnels to TLS.
You can use self-signed certificates with peer fingerprint
verification, consult the documentation for details.


DEPRECATION WARNING: OpenVPN shared-secret support will be removed in
future VyOS versions. Please migrate your site-to-site tunnels to TLS.
You can use self-signed certificates with peer fingerprint
verification, consult the documentation for details.

ok
test_openvpn_server_server_bridge (__main__.TestInterfacesOpenVPN.test_openvpn_server_server_bridge) ... Warning: using dh-params and EC keys simultaneously will lead to DH ciphers being used instead of ECDH
ok
test_openvpn_server_subnet_topology (__main__.TestInterfacesOpenVPN.test_openvpn_server_subnet_topology) ... Warning: using dh-params and EC keys simultaneously will lead to DH ciphers being used instead of ECDH
Warning: using dh-params and EC keys simultaneously will lead to DH ciphers being used instead of ECDH
Warning: using dh-params and EC keys simultaneously will lead to DH ciphers being used instead of ECDH
Warning: using dh-params and EC keys simultaneously will lead to DH ciphers being used instead of ECDH
Warning: using dh-params and EC keys simultaneously will lead to DH ciphers being used instead of ECDH
ok
test_openvpn_server_verify (__main__.TestInterfacesOpenVPN.test_openvpn_server_verify) ... 
Must specify OpenVPN operation mode!


Protocol "tcp-active" is not valid in server mode


Cannot specify "remote-port" in server mode


Cannot specify "remote-host" in server mode


Must specify "server subnet" or add interface to bridge in server mode


Must specify "server subnet" or add interface to bridge in server mode


Must specify "tls ca-certificate" on openvpn interface vtun5000,
it is required in server and client modes


Cannot specify more than 1 IPv4 server subnet


Must specify "tls ca-certificate" on openvpn interface vtun5000,
it is required in server and client modes


Missing "tls certificate" on openvpn interface vtun5000


Cannot specify "tls role" in client-server mode


Cannot specify "tls dh-params" when "tls role" is "active"


Cannot specify "tcp-passive" when "tls role" is "active"


Cannot specify "tls dh-params" when "tls role" is "active"


"encryption cipher" option is deprecated for TLS mode. Use "encryption
data-ciphers" instead


Protocol "tcp-active" is not valid in server mode

Warning: using dh-params and EC keys simultaneously will lead to DH ciphers being used instead of ECDH
ok
test_openvpn_site2site_interfaces_tun (__main__.TestInterfacesOpenVPN.test_openvpn_site2site_interfaces_tun) ... 
DEPRECATION WARNING: OpenVPN shared-secret support will be removed in
future VyOS versions. Please migrate your site-to-site tunnels to TLS.
You can use self-signed certificates with peer fingerprint
verification, consult the documentation for details.


DEPRECATION WARNING: OpenVPN shared-secret support will be removed in
future VyOS versions. Please migrate your site-to-site tunnels to TLS.
You can use self-signed certificates with peer fingerprint
verification, consult the documentation for details.


DEPRECATION WARNING: OpenVPN shared-secret support will be removed in
future VyOS versions. Please migrate your site-to-site tunnels to TLS.
You can use self-signed certificates with peer fingerprint
verification, consult the documentation for details.


DEPRECATION WARNING: OpenVPN shared-secret support will be removed in
future VyOS versions. Please migrate your site-to-site tunnels to TLS.
You can use self-signed certificates with peer fingerprint
verification, consult the documentation for details.


DEPRECATION WARNING: OpenVPN shared-secret support will be removed in
future VyOS versions. Please migrate your site-to-site tunnels to TLS.
You can use self-signed certificates with peer fingerprint
verification, consult the documentation for details.

ok
test_openvpn_site2site_verify (__main__.TestInterfacesOpenVPN.test_openvpn_site2site_verify) ... 
Must specify "local-address" or add interface to bridge


Must specify "local-address" or add interface to bridge


Only one IPv4 local-address can be specified


Only one IPv6 local-address can be specified


Must specify "remote-address"


Only one IPv4 remote-address can be specified


Only one IPv6 remote-address can be specified


Must specify only one of "shared-secret-key" and "tls"


DEPRECATION WARNING: OpenVPN shared-secret support will be removed in
future VyOS versions. Please migrate your site-to-site tunnels to TLS.
You can use self-signed certificates with peer fingerprint
verification, consult the documentation for details.

ok

----------------------------------------------------------------------
Ran 8 tests in 91.362s

OK
vyos@r15:~$