Attention is currently required from: flichtenheld, plaisthos.
Hello flichtenheld, plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1280?usp=email
to look at the new patch set (#2).
Change subject: options: warn and ignore --reneg-bytes/pkts when DCO is enabled
......................................................................
options: warn and ignore --reneg-bytes/pkts when DCO is enabled
The --reneg-bytes and --reneg-pkts options rely on per-key counters to
trigger key renegotiation. DCO, however, only provides global
statistics, making it incompatible with these options.
Rather than adding complexity to support legacy behavior, ignore these
options when DCO is enabled. Print a warning to inform users and update
the manpage accordingly.
Change-Id: I7b718a14b81e3759398e7a52fe151102494cc821
Signed-off-by: Ralf Lici <[email protected]>
---
M doc/man-sections/renegotiation.rst
M src/openvpn/options.c
2 files changed, 22 insertions(+), 4 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/80/1280/2
diff --git a/doc/man-sections/renegotiation.rst
b/doc/man-sections/renegotiation.rst
index 1e7c340..c689c6f 100644
--- a/doc/man-sections/renegotiation.rst
+++ b/doc/man-sections/renegotiation.rst
@@ -19,10 +19,18 @@
the SWEET32 attack vector. For more information see the ``--cipher``
option.
+ When data channel offload (DCO) is enabled, this option is ignored. DCO
+ does not support per-key renegotiation thresholds; automatic key
+ renegotiation mechanisms are preferred.
+
--reneg-pkts n
Renegotiate data channel key after **n** packets sent and received
(disabled by default).
+ When data channel offload (DCO) is enabled, this option is ignored. DCO
+ does not support per-key renegotiation thresholds; automatic key
+ renegotiation mechanisms are preferred.
+
--reneg-sec args
Renegotiate data channel key after at most ``max`` seconds
(default :code:`3600`) and at least ``min`` seconds (default is 90% of
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 44f68c7..58c7760 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -3317,11 +3317,21 @@
dns_options_verify(M_FATAL, &o->dns_options);
- if (dco_enabled(o) && o->enable_c2c)
+ if (dco_enabled(o))
{
- msg(M_WARN, "Note: --client-to-client has no effect when using data "
- "channel offload: packets are always sent to the VPN "
- "interface and then routed based on the system routing
table");
+ if (o->enable_c2c)
+ {
+ msg(M_WARN, "Note: --client-to-client has no effect when using
data "
+ "channel offload: packets are always sent to the VPN "
+ "interface and then routed based on the system routing
table");
+ }
+
+ if (o->renegotiate_bytes > 0 || o->renegotiate_packets)
+ {
+ msg(M_WARN, "Note: '--reneg-bytes' and '--reneg-pkts' are not
supported "
+ "by data channel offload; automatic key renegotiation "
+ "mechanisms are preferred. Ignoring these options.");
+ }
}
}
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1280?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newpatchset
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I7b718a14b81e3759398e7a52fe151102494cc821
Gerrit-Change-Number: 1280
Gerrit-PatchSet: 2
Gerrit-Owner: ralf_lici <[email protected]>
Gerrit-Reviewer: flichtenheld <[email protected]>
Gerrit-Reviewer: plaisthos <[email protected]>
Gerrit-CC: openvpn-devel <[email protected]>
Gerrit-Attention: plaisthos <[email protected]>
Gerrit-Attention: flichtenheld <[email protected]>
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
