We discussed this at length on IRC, and v3 is the result of that - our
handling of AEAD ciphers, both in kernel space and in userland, is
different from "old ciphers" because we auto-honour the given safety
limits for AES key use. Since the kernel only does AEAD, no interface
was made to send other arbitrary reneg-limits - and thus, we just ignore
them in DCO mode.
The new thing in this patch is "OpenVPN will tell you", and so does the
documentation. v1 went for "turn off DCO if this option is used", which
was the wrong thing to do, given the abundance of openvpn config with
stale cruft in them... but, we tell users :-)
Your patch has been applied to the master branch.
commit c9a320649bd4ec43d3f2640f70476178d8fcc660
Author: Ralf Lici
Date: Fri Oct 17 21:16:06 2025 +0200
options: warn and ignore --reneg-bytes/pkts when DCO is enabled
Signed-off-by: Ralf Lici <[email protected]>
Acked-by: Gert Doering <[email protected]>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1280
Message-Id: <[email protected]>
URL: https://sourceforge.net/p/openvpn/mailman/message/59248122/
Signed-off-by: Gert Doering <[email protected]>
--
kind regards,
Gert Doering
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
