[fix] Convert parameter tls_cipher to a list #349

okraits · okraits · commit e0f2824ec5d9 · 2025-10-31T15:43:48.000+01:00
Fixes #349 Signed-off-by: Oliver Kraitschy <ok@dev.tdt.de>
diff --git a/netjsonconfig/backends/openwrt/converters/openvpn.py b/netjsonconfig/backends/openwrt/converters/openvpn.py
@@ -15,6 +15,8 @@ def __intermediate_vpn(self, vpn):
                 "enabled": not vpn.pop("disabled", False),
             }
         )
+        if (cipher := vpn.get('tls_cipher')) and isinstance(cipher, str):
+            vpn['tls_cipher'] = [cipher]
         return super().__intermediate_vpn(vpn, remove=[""])
 
     def __netjson_vpn(self, vpn):
@@ -24,4 +26,7 @@ def __netjson_vpn(self, vpn):
         vpn["disabled"] = vpn.pop("enabled", "0") == "0"
         vpn["name"] = vpn.pop(".name")
         del vpn[".type"]
+        if (cipher := vpn.get('tls_cipher')) and isinstance(cipher, list) \
+                and cipher:
+            vpn['tls_cipher'] = cipher[0]
         return super().__netjson_vpn(vpn)
diff --git a/tests/openvpn/test_backend.py b/tests/openvpn/test_backend.py
@@ -257,6 +257,7 @@ def test_client_mode(self):
                         "status_version": 1,
                         "tls_client": True,
                         "tls_auth": "tls_auth.key 1",
+                        "tls_cipher": "TLS-DHE-RSA-WITH-AES-256-CBC-SHA:@SECLEVEL=0",
                         "topology": "p2p",
                         "tun_ipv6": True,
                         "up": "/home/user/up-command.sh",
@@ -302,6 +303,7 @@ def test_client_mode(self):
 status /var/log/openvpn.status 30
 status-version 1
 tls-auth tls_auth.key 1
+tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:@SECLEVEL=0
 tls-client
 topology p2p
 tun-ipv6
diff --git a/tests/openvpn/test_parser.py b/tests/openvpn/test_parser.py
@@ -74,6 +74,7 @@ def test_parse_server(self):
 script-security 0
 status /var/log/openvpn.status 10
 status-version 1
+tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:@SECLEVEL=0
 tls-server
 user nobody
 verb 3
@@ -110,6 +111,7 @@ def test_parse_server(self):
                     "script_security": 0,
                     "status": "/var/log/openvpn.status 10",
                     "status_version": 1,
+                    "tls_cipher": "TLS-DHE-RSA-WITH-AES-256-CBC-SHA:@SECLEVEL=0",
                     "tls_server": True,
                     "user": "nobody",
                     "verb": 3,
diff --git a/tests/openwrt/test_openvpn.py b/tests/openwrt/test_openvpn.py
@@ -211,6 +211,7 @@ def test_parse_server_mode_data_ciphers(self):
                 "script_security": 1,
                 "status": "/var/log/openvpn.status 30",
                 "status_version": 1,
+                "tls_cipher": "TLS-DHE-RSA-WITH-AES-256-CBC-SHA:@SECLEVEL=0",
                 "tls_client": True,
                 "tun_ipv6": True,
                 "up": "/home/user/up-command.sh",
@@ -254,6 +255,7 @@ def test_parse_server_mode_data_ciphers(self):
     option script_security '1'
     option status '/var/log/openvpn.status 30'
     option status_version '1'
+    list tls_cipher 'TLS-DHE-RSA-WITH-AES-256-CBC-SHA:@SECLEVEL=0'
     option tls_client '1'
     option tun_ipv6 '1'
     option up '/home/user/up-command.sh'
