[Openvpn-devel] [PATCH applied] Re: reject compression by default

Wed, 08 Sep 2021 02:51:59 -0700 

This needed a bit of massaging for the Changes.rst hunk.  The rest
was straightforward.

The interaction of this with existing configs is interesting.

 - if the local config has "comp-lzo" or "compress <something>" in it,
   this will still work(!) - because the "allow-compress no" changed 
   default will only become active after the config is parsed
   (and the client will announce IV_LZO=1 to the server)

 - if the local config has *no* "comp-lzo" or "compress" statements,
   "allow-compress no" becomes active, and no IV_LZO/IV_LZ4 is sent
   to the server

 - if the local config has no compression setting but --compat-mode 2.3.0
   is set, we also announce IV_LZO/IV_LZ4 to the server

So the compat bit and changed default works, it is only "not active yet"
when reading the local config.  OTOH, users are free to put stuff into
their local config, including "allow-compression yes", to override the
new defaults - so I think this is okay, if properly understood.

Making the (possibly) changed "allow-compression" setting active already
when reading the config is a more intrusive change, as one would need to
recalculate defaults right upon hitting the "compat-mode" statement
(and the "compat-mode" statement would need to be *before* the "compress"
statement otherwise disallowed) - we could do that, but I'm not sure it's
worth it.  Definitely worth discussing.


One interesting side effect of the current code is that none of the 
t_client buildslaves break - because they all have "comp-lzo" in the
configs (for historic reasons, sorry...) and thus everything keeps
working :-) - need to modify these cases a add variants.


Your patch has been applied to the master branch.

commit 79367a3fde433d0660cc7122aa21c3c76ee6b2da
Author: Antonio Quartulli
Date:   Sat Sep 4 11:56:25 2021 +0200

     reject compression by default

     Signed-off-by: Arne Schwabe <a...@rfc2549.org>
     Signed-off-by: Antonio Quartulli <a...@unstable.cc>
     Acked-by: Arne Schwabe <a...@rfc2549.org>
     Message-Id: <20210904095629.6273-...@unstable.cc>
     URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22797.html
     Signed-off-by: Gert Doering <g...@greenie.muc.de>


--
kind regards,

Gert Doering



_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to