Attention is currently required from: flichtenheld, plaisthos.
Hello flichtenheld, plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1280?usp=email
to look at the new patch set (#3).
Change subject: options: warn and ignore --reneg-bytes/pkts when DCO is enabled
......................................................................
options: warn and ignore --reneg-bytes/pkts when DCO is enabled
Thresholds specified by --reneg-bytes and --reneg-pkts cannot be
enforced when DCO is enabled, as it only provides global statistics.
Rather than adding complexity to support these options, ignore them when
DCO is enabled. Print a warning to inform users and update the manpage
accordingly.
Change-Id: I7b718a14b81e3759398e7a52fe151102494cc821
Signed-off-by: Ralf Lici <[email protected]>
---
M doc/man-sections/renegotiation.rst
M src/openvpn/options.c
2 files changed, 23 insertions(+), 4 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/80/1280/3
diff --git a/doc/man-sections/renegotiation.rst
b/doc/man-sections/renegotiation.rst
index 1e7c340..f5eb90d 100644
--- a/doc/man-sections/renegotiation.rst
+++ b/doc/man-sections/renegotiation.rst
@@ -19,10 +19,18 @@
the SWEET32 attack vector. For more information see the ``--cipher``
option.
+ When data channel offload (DCO) is enabled, this option is ignored. DCO
+ does not support configurable renegotiation thresholds; automatic key
+ renegotiation mechanisms are sufficient for modern ciphers.
+
--reneg-pkts n
Renegotiate data channel key after **n** packets sent and received
(disabled by default).
+ When data channel offload (DCO) is enabled, this option is ignored. DCO
+ does not support configurable renegotiation thresholds; automatic key
+ renegotiation mechanisms are sufficient for modern ciphers.
+
--reneg-sec args
Renegotiate data channel key after at most ``max`` seconds
(default :code:`3600`) and at least ``min`` seconds (default is 90% of
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 44f68c7..65c6b3b 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -3317,11 +3317,22 @@
dns_options_verify(M_FATAL, &o->dns_options);
- if (dco_enabled(o) && o->enable_c2c)
+ if (dco_enabled(o))
{
- msg(M_WARN, "Note: --client-to-client has no effect when using data "
- "channel offload: packets are always sent to the VPN "
- "interface and then routed based on the system routing
table");
+ if (o->enable_c2c)
+ {
+ msg(M_WARN, "Note: --client-to-client has no effect when using
data "
+ "channel offload: packets are always sent to the VPN "
+ "interface and then routed based on the system routing
table");
+ }
+
+ if (o->renegotiate_bytes > 0 || o->renegotiate_packets)
+ {
+ msg(M_WARN, "Note: '--reneg-bytes' and '--reneg-pkts' are not
supported "
+ "by data channel offload; automatic key renegotiation "
+ "mechanisms are sufficient for modern ciphers. "
+ "Ignoring these options.");
+ }
}
}
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1280?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newpatchset
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I7b718a14b81e3759398e7a52fe151102494cc821
Gerrit-Change-Number: 1280
Gerrit-PatchSet: 3
Gerrit-Owner: ralf_lici <[email protected]>
Gerrit-Reviewer: flichtenheld <[email protected]>
Gerrit-Reviewer: plaisthos <[email protected]>
Gerrit-CC: openvpn-devel <[email protected]>
Gerrit-Attention: plaisthos <[email protected]>
Gerrit-Attention: flichtenheld <[email protected]>
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
