Am 04.09.21 um 11:56 schrieb Antonio Quartulli:
> The new condition is equivalent to the old one, but easier to grasp.
>
> Also add message to inform uset that cipher negotiation, in this case,
> it indeed disabled.
>
> Signed-off-by: Arne Schwabe <a...@rfc2549.org>
> Signed-off-by: Antonio Quartulli <a...@unstable.cc>
> ---
> src/openvpn/options.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/src/openvpn/options.c b/src/openvpn/options.c
> index 00ba6044..0d6b85cf 100644
> --- a/src/openvpn/options.c
> +++ b/src/openvpn/options.c
> @@ -3076,8 +3076,12 @@ options_postprocess_verify(const struct options *o)
> static void
> options_postprocess_cipher(struct options *o)
> {
> - if (!o->pull && !(o->mode == MODE_SERVER))
> + if (!o->tls_server && !o->tls_client)
> {
> + /* we are in the classic P2P mode */
> + msg(M_WARN, "Cipher negotiation is disabled since TLS "
> + "mode is not enabled");
> +
> /* If the cipher is not set, use the old default of BF-CBC. We will
> * warn that this is deprecated on cipher initialisation, no need
> * to warn here as well */
>
Yes. Makes sense. The change makes it is a lot more clear. I think it is
actually not equivalent but the new one is definitively the correct one.
Acked-By: Arne Schwabe <a...@rfc2549.org>
Arne
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
