https://bugs.gentoo.org/909361
https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/-/commit/a790374f4c2e9e1657cbb8470357d72d4bd87916

From a790374f4c2e9e1657cbb8470357d72d4bd87916 Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Mon, 28 Nov 2022 17:31:38 +0100
Subject: [PATCH] Revert "service: automatically add the "cipher" to the
 "data-ciphers""

`--data-ciphers` has a default value of `AES-256-GCM:AES-128-GCM`. If
we overwrite it with the value of `--cipher` we are diverging from
openvpn behavior and this can cause authentication problems.

https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/-/issues/112

This reverts commit 020ab0c4b872fa5415ed1a5e682acb3343c7b9f3.
--- a/src/nm-openvpn-service.c
+++ b/src/nm-openvpn-service.c
@@ -1676,22 +1676,6 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin,
 
 	args_add_vpn_data (args, s_vpn, NM_OPENVPN_KEY_DATA_CIPHERS, "--data-ciphers");
 
-	if (nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_CIPHER) &&
-	    !nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_DATA_CIPHERS) &&
-	    openvpn_binary_detect_version_cached (openvpn_binary, &openvpn_binary_version) >=
-	        nmovpn_version_encode (2, 5, 0)) {
-		/* Since 2.5, openvpn will warn if "cipher" is set but "data-ciphers" doesn't
-		 * contain the cipher. It still used to automatically add the cipher.
-		 * Since 2.6, the cipher is no longer automatically added, which is unlikely
-		 * what the user wants.
-		 *
-		 * We automatically add it, so if the user only sets cipher (e.g. when
-		 * having an old profile or targeting 2.4) it still works. So ciphers
-		 * means something slightly different for the plugin, unless you set
-		 * data-ciphers to anything. */
-		args_add_vpn_data (args, s_vpn, NM_OPENVPN_KEY_CIPHER, "--data-ciphers");
-	}
-
 	args_add_vpn_data (args, s_vpn, NM_OPENVPN_KEY_TLS_CIPHER, "--tls-cipher");
 
 	tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_KEYSIZE);
-- 
GitLab