[fix] Convert parameter tls_cipher to a list #349

okraits · okraits · commit a36757a42150 · 2026-01-30T17:02:13.000+01:00
Fixes #349 Signed-off-by: Oliver Kraitschy <ok@dev.tdt.de>
diff --git a/netjsonconfig/backends/openwrt/converters/openvpn.py b/netjsonconfig/backends/openwrt/converters/openvpn.py
@@ -15,6 +15,12 @@ def __intermediate_vpn(self, vpn):
                 "enabled": not vpn.pop("disabled", False),
             }
         )
+        if (ciphers := vpn.get("tls_cipher")) and isinstance(ciphers, str):
+            vpn["tls_cipher"] = []
+            # only add non empty strings
+            for part in ciphers.split(":"):
+                if part:
+                    vpn["tls_cipher"].append(part)
         return super().__intermediate_vpn(vpn, remove=[""])
 
     def __netjson_vpn(self, vpn):
@@ -24,4 +30,6 @@ def __netjson_vpn(self, vpn):
         vpn["disabled"] = vpn.pop("enabled", "0") == "0"
         vpn["name"] = vpn.pop(".name")
         del vpn[".type"]
+        if (ciphers := vpn.get("tls_cipher")) and isinstance(ciphers, list) and ciphers:
+            vpn["tls_cipher"] = ":".join(ciphers)
         return super().__netjson_vpn(vpn)
diff --git a/tests/openvpn/test_backend.py b/tests/openvpn/test_backend.py
@@ -257,6 +257,11 @@ def test_client_mode(self):
                         "status_version": 1,
                         "tls_client": True,
                         "tls_auth": "tls_auth.key 1",
+                        "tls_cipher": (
+                            "TLS-DHE-RSA-WITH-AES-256-CBC-SHA:"
+                            "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA:"
+                            "@SECLEVEL=0"
+                        ),
                         "topology": "p2p",
                         "tun_ipv6": True,
                         "up": "/home/user/up-command.sh",
@@ -302,6 +307,7 @@ def test_client_mode(self):
 status /var/log/openvpn.status 30
 status-version 1
 tls-auth tls_auth.key 1
+tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA:@SECLEVEL=0
 tls-client
 topology p2p
 tun-ipv6
diff --git a/tests/openvpn/test_parser.py b/tests/openvpn/test_parser.py
@@ -74,6 +74,7 @@ def test_parse_server(self):
 script-security 0
 status /var/log/openvpn.status 10
 status-version 1
+tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA:@SECLEVEL=0
 tls-server
 user nobody
 verb 3
@@ -110,6 +111,11 @@ def test_parse_server(self):
                     "script_security": 0,
                     "status": "/var/log/openvpn.status 10",
                     "status_version": 1,
+                    "tls_cipher": (
+                        "TLS-DHE-RSA-WITH-AES-256-CBC-SHA:"
+                        "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA:"
+                        "@SECLEVEL=0"
+                    ),
                     "tls_server": True,
                     "user": "nobody",
                     "verb": 3,
diff --git a/tests/openwrt/test_openvpn.py b/tests/openwrt/test_openvpn.py
@@ -211,6 +211,11 @@ def test_parse_server_mode_data_ciphers(self):
                 "script_security": 1,
                 "status": "/var/log/openvpn.status 30",
                 "status_version": 1,
+                "tls_cipher": (
+                    "TLS-DHE-RSA-WITH-AES-256-CBC-SHA:"
+                    "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA:"
+                    "@SECLEVEL=0"
+                ),
                 "tls_client": True,
                 "tun_ipv6": True,
                 "up": "/home/user/up-command.sh",
@@ -254,6 +259,9 @@ def test_parse_server_mode_data_ciphers(self):
     option script_security '1'
     option status '/var/log/openvpn.status 30'
     option status_version '1'
+    list tls_cipher 'TLS-DHE-RSA-WITH-AES-256-CBC-SHA'
+    list tls_cipher 'TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA'
+    list tls_cipher '@SECLEVEL=0'
     option tls_client '1'
     option tun_ipv6 '1'
     option up '/home/user/up-command.sh'
