Hi,
On 27-08-17 18:15, Gert van Dijk wrote:
> If specified in a tls-client context, don't try to open the file as it's
> not used. Worse even, if 'none' was specified to disable explicitly, it
> complained that the file 'none' could not be found.
> ---
> src/openvpn/options.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/src/openvpn/options.c b/src/openvpn/options.c
> index 1bbda027..536d6f3f 100644
> --- a/src/openvpn/options.c
> +++ b/src/openvpn/options.c
> @@ -3011,6 +3011,13 @@ options_postprocess_mutate(struct options *o)
> o->dh_file = NULL;
> }
> }
> + else if (o->dh_file)
> + {
> + /* DH file is only meaningful in a tls-server context. */
> + msg(M_WARN, "ignoring option 'dh' in tls-client mode, please only "
> + "include this in your server configuration");
> + o->dh_file = NULL;
> + }
>
> /* cipher negotiation (NCP) currently assumes --pull or --mode server */
> if (o->ncp_enabled
>
ACK. Ideally, we would have never excepted the --dh option for clients.
But since we for some reason did, I agree that warning and explicitly
ignoring the option is the best approach (because it will not break
existing client configs that do have the --dh option in there).
But: Gert is a colleague of mine at Fox-IT, so it would be good to have
some non-fox eyes look at this patch too.
-Steffan
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
