[fix] Convert parameter tls_cipher to a list #349

okraits · okraits · commit d2077a6735c3 · 2025-10-31T15:51:25.000+01:00
Fixes #349 Signed-off-by: Oliver Kraitschy <ok@dev.tdt.de>
diff --git a/netjsonconfig/backends/openwrt/converters/openvpn.py b/netjsonconfig/backends/openwrt/converters/openvpn.py
@@ -15,6 +15,8 @@ def __intermediate_vpn(self, vpn):
                 "enabled": not vpn.pop("disabled", False),
             }
         )
+        if (cipher := vpn.get("tls_cipher")) and isinstance(cipher, str):
+            vpn["tls_cipher"] = [cipher]
         return super().__intermediate_vpn(vpn, remove=[""])
 
     def __netjson_vpn(self, vpn):
@@ -24,4 +26,6 @@ def __netjson_vpn(self, vpn):
         vpn["disabled"] = vpn.pop("enabled", "0") == "0"
         vpn["name"] = vpn.pop(".name")
         del vpn[".type"]
+        if (cipher := vpn.get("tls_cipher")) and isinstance(cipher, list) and cipher:
+            vpn["tls_cipher"] = cipher[0]
         return super().__netjson_vpn(vpn)
diff --git a/tests/openvpn/test_backend.py b/tests/openvpn/test_backend.py
@@ -257,6 +257,7 @@ def test_client_mode(self):
                         "status_version": 1,
                         "tls_client": True,
                         "tls_auth": "tls_auth.key 1",
+                        "tls_cipher": "TLS-DHE-RSA-WITH-AES-256-CBC-SHA:@SECLEVEL=0",
                         "topology": "p2p",
                         "tun_ipv6": True,
                         "up": "/home/user/up-command.sh",
@@ -302,6 +303,7 @@ def test_client_mode(self):
 status /var/log/openvpn.status 30
 status-version 1
 tls-auth tls_auth.key 1
+tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:@SECLEVEL=0
 tls-client
 topology p2p
 tun-ipv6
diff --git a/tests/openvpn/test_parser.py b/tests/openvpn/test_parser.py
@@ -74,6 +74,7 @@ def test_parse_server(self):
 script-security 0
 status /var/log/openvpn.status 10
 status-version 1
+tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:@SECLEVEL=0
 tls-server
 user nobody
 verb 3
@@ -110,6 +111,7 @@ def test_parse_server(self):
                     "script_security": 0,
                     "status": "/var/log/openvpn.status 10",
                     "status_version": 1,
+                    "tls_cipher": "TLS-DHE-RSA-WITH-AES-256-CBC-SHA:@SECLEVEL=0",
                     "tls_server": True,
                     "user": "nobody",
                     "verb": 3,
diff --git a/tests/openwrt/test_openvpn.py b/tests/openwrt/test_openvpn.py
@@ -211,6 +211,7 @@ def test_parse_server_mode_data_ciphers(self):
                 "script_security": 1,
                 "status": "/var/log/openvpn.status 30",
                 "status_version": 1,
+                "tls_cipher": "TLS-DHE-RSA-WITH-AES-256-CBC-SHA:@SECLEVEL=0",
                 "tls_client": True,
                 "tun_ipv6": True,
                 "up": "/home/user/up-command.sh",
@@ -254,6 +255,7 @@ def test_parse_server_mode_data_ciphers(self):
     option script_security '1'
     option status '/var/log/openvpn.status 30'
     option status_version '1'
+    list tls_cipher 'TLS-DHE-RSA-WITH-AES-256-CBC-SHA:@SECLEVEL=0'
     option tls_client '1'
     option tun_ipv6 '1'
     option up '/home/user/up-command.sh'

Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,8 @@ def __intermediate_vpn(self, vpn):`
`15`	`15`	`"enabled": not vpn.pop("disabled", False),`
`16`	`16`	`}`
`17`	`17`	`)`
	`18`	`+ if (cipher := vpn.get("tls_cipher")) and isinstance(cipher, str):`
	`19`	`+ vpn["tls_cipher"] = [cipher]`
`18`	`20`	`return super().__intermediate_vpn(vpn, remove=[""])`
`19`	`21`
`20`	`22`	`def __netjson_vpn(self, vpn):`
`@@ -24,4 +26,6 @@ def __netjson_vpn(self, vpn):`
`24`	`26`	`vpn["disabled"] = vpn.pop("enabled", "0") == "0"`
`25`	`27`	`vpn["name"] = vpn.pop(".name")`
`26`	`28`	`del vpn[".type"]`
	`29`	`+ if (cipher := vpn.get("tls_cipher")) and isinstance(cipher, list) and cipher:`
	`30`	`+ vpn["tls_cipher"] = cipher[0]`
`27`	`31`	`return super().__netjson_vpn(vpn)`