On 04-05-15 15:26, Jonathan K. Bullard wrote:
Perhaps it could go into OpenVPN 2.4 but not 2.3? As I understand it, 2.3 is gets security and bug fixes, so many people probably don't test it as thoroughly as a new release; some probably won't test it at all -- those are the ones that you are presumably worried about. When 2.4 is released, most people will test it at least cursorily before deploying it. If extra parameters cause a failure, it will be immediately obvious and can be fixed easily. Although usually ignoring extra parameters would not cause security problems, to the extent they do, the concept of OpenVPN being "secure by default" is jeopardized by not causing an error. Something like ignoring a "--redirect-gateway def1" -- which would cause traffic to be "leaked" outside of the VPN -- could be considered a security risk.
That sounds reasonable to me. However, I tend to be easier in accepting (potentially) breaking changes than other community members. So I think it makes sense to put this on the agenda for the next IRC meeting. Iirc, the next one should be tomorrow at 20:00 CEST.
-Steffan
