From d2077a6735c3ddfb5bf0535e15aaf7e3c84c7620 Mon Sep 17 00:00:00 2001
From: Oliver Kraitschy <ok@dev.tdt.de>
Date: Fri, 31 Oct 2025 14:46:49 +0100
Subject: [PATCH] [fix] Convert parameter tls_cipher to a list #349

Fixes #349

Signed-off-by: Oliver Kraitschy <ok@dev.tdt.de>
---
 netjsonconfig/backends/openwrt/converters/openvpn.py | 4 ++++
 tests/openvpn/test_backend.py                        | 2 ++
 tests/openvpn/test_parser.py                         | 2 ++
 tests/openwrt/test_openvpn.py                        | 2 ++
 4 files changed, 10 insertions(+)

diff --git a/netjsonconfig/backends/openwrt/converters/openvpn.py b/netjsonconfig/backends/openwrt/converters/openvpn.py
index 07d1a412e..3e0830515 100644
--- a/netjsonconfig/backends/openwrt/converters/openvpn.py
+++ b/netjsonconfig/backends/openwrt/converters/openvpn.py
@@ -15,6 +15,8 @@ def __intermediate_vpn(self, vpn):
                 "enabled": not vpn.pop("disabled", False),
             }
         )
+        if (cipher := vpn.get("tls_cipher")) and isinstance(cipher, str):
+            vpn["tls_cipher"] = [cipher]
         return super().__intermediate_vpn(vpn, remove=[""])
 
     def __netjson_vpn(self, vpn):
@@ -24,4 +26,6 @@ def __netjson_vpn(self, vpn):
         vpn["disabled"] = vpn.pop("enabled", "0") == "0"
         vpn["name"] = vpn.pop(".name")
         del vpn[".type"]
+        if (cipher := vpn.get("tls_cipher")) and isinstance(cipher, list) and cipher:
+            vpn["tls_cipher"] = cipher[0]
         return super().__netjson_vpn(vpn)
diff --git a/tests/openvpn/test_backend.py b/tests/openvpn/test_backend.py
index 6500fa886..07669449b 100644
--- a/tests/openvpn/test_backend.py
+++ b/tests/openvpn/test_backend.py
@@ -257,6 +257,7 @@ def test_client_mode(self):
                         "status_version": 1,
                         "tls_client": True,
                         "tls_auth": "tls_auth.key 1",
+                        "tls_cipher": "TLS-DHE-RSA-WITH-AES-256-CBC-SHA:@SECLEVEL=0",
                         "topology": "p2p",
                         "tun_ipv6": True,
                         "up": "/home/user/up-command.sh",
@@ -302,6 +303,7 @@ def test_client_mode(self):
 status /var/log/openvpn.status 30
 status-version 1
 tls-auth tls_auth.key 1
+tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:@SECLEVEL=0
 tls-client
 topology p2p
 tun-ipv6
diff --git a/tests/openvpn/test_parser.py b/tests/openvpn/test_parser.py
index 0140a0262..d053d73e7 100644
--- a/tests/openvpn/test_parser.py
+++ b/tests/openvpn/test_parser.py
@@ -74,6 +74,7 @@ def test_parse_server(self):
 script-security 0
 status /var/log/openvpn.status 10
 status-version 1
+tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:@SECLEVEL=0
 tls-server
 user nobody
 verb 3
@@ -110,6 +111,7 @@ def test_parse_server(self):
                     "script_security": 0,
                     "status": "/var/log/openvpn.status 10",
                     "status_version": 1,
+                    "tls_cipher": "TLS-DHE-RSA-WITH-AES-256-CBC-SHA:@SECLEVEL=0",
                     "tls_server": True,
                     "user": "nobody",
                     "verb": 3,
diff --git a/tests/openwrt/test_openvpn.py b/tests/openwrt/test_openvpn.py
index ed1a6df41..0ef61346a 100644
--- a/tests/openwrt/test_openvpn.py
+++ b/tests/openwrt/test_openvpn.py
@@ -211,6 +211,7 @@ def test_parse_server_mode_data_ciphers(self):
                 "script_security": 1,
                 "status": "/var/log/openvpn.status 30",
                 "status_version": 1,
+                "tls_cipher": "TLS-DHE-RSA-WITH-AES-256-CBC-SHA:@SECLEVEL=0",
                 "tls_client": True,
                 "tun_ipv6": True,
                 "up": "/home/user/up-command.sh",
@@ -254,6 +255,7 @@ def test_parse_server_mode_data_ciphers(self):
     option script_security '1'
     option status '/var/log/openvpn.status 30'
     option status_version '1'
+    list tls_cipher 'TLS-DHE-RSA-WITH-AES-256-CBC-SHA:@SECLEVEL=0'
     option tls_client '1'
     option tun_ipv6 '1'
     option up '/home/user/up-command.sh'