Re: [Openvpn-devel] Confusing "mtu-dynamic" warnings
Ahh! Sorry about that. Scratch my patch! I didn't think about that this
could be sent over the wire. But I'm not sure that a search/replace of
"mtu-dynamic" on the warning string would solve it completely neither, then
something needs to be done with this part of the code instead:
options.c - line 3567
-
#ifdef ENABLE_FRAGMENT
else if (streq (p[0], "mtu-dynamic"))
{
VERIFY_PERMISSION (OPT_P_GENERAL);
msg (msglevel, "--mtu-dynamic has been replaced by --fragment");
goto err;
}
else if (streq (p[0], "fragment") && p[1])
{
VERIFY_PERMISSION (OPT_P_MTU);
options->fragment = positive_atoi (p[1]);
}
#endif
-
Here we have a "goto err" if mtu-dynamic is used. But we want to allow it,
because if backward compatibility ... so the code probably would need to be
something like this:
-
#ifdef ENABLE_FRAGMENT
else if ((streq (p[0], "mtu-dynamic") || streq (p[0], "fragment"))
&& p[1]))
{
VERIFY_PERMISSION (OPT_P_GENERAL);
if( (streq (p[0], "mtu-dynamic")
{
msg (msglevel, "--mtu-dynamic has been replaced by --fragment");
}
VERIFY_PERMISSION (OPT_P_MTU);
options->fragment = positive_atoi (p[1]);
}
#endif
-
This would then preserve backward compatibility and give a warning.
But if this option is not longer supported, and has been deprecated for
over 5 years, that would mean OpenVPN 1.x-something ... wouldn't it be
about time to upgrade the software package then? Such old software could
just as well be a potential security breach.
Kind regards,
David S.
James Yonan wrote:
It's not so simple -- the "mtu-dynamic" string is passed across the
network which means the patch below will break backward compatibility
when one side of the connection is patched but the other side is not. In
fact, that's the reason why the options consistency protocol still uses
"mtu-dynamic" instead of "fragment". The solution that preserves
backward compatibility is to continue using "mtu-dynamic", but do a
search/replace of "mtu-dynamic" -> "fragment" on the warning string
before it is output.
Actually if that's the worst bug you guys can find, we're probably ready
to release 2.1 :)
James
David Sommerseth wrote:
I'm guessing the following patch would correct this
--- options.c.orig2008-09-08 08:32:05.0 +0200
+++ options.c2008-09-08 08:31:10.0 +0200
@@ -2236,7 +2236,7 @@
#ifdef ENABLE_FRAGMENT
if (o->fragment)
-buf_printf (&out, ",mtu-dynamic");
+buf_printf (&out, ",fragment");
#endif
#ifdef USE_CRYPTO
Seems to me like it's just a typo when preparing the argument parsing.
kind regards,
David Sommerseth
Dave wrote:
..
Hi,
When makins some inconsistency mistake with "--fragment" settings, I
get an error message like:
WARNING: 'mtu-dynamic' is present in local config but missing in
remote config, local='mtu-dynamic'
I guess this message has to be updates, as "--fragment" is meant to
replace "--mtu-dynamic" AFAICS.
This is with 2.1_rc9.
...
Nice bug! --mtu-dynamic is an ancient option, it was dropped in
version 1.5
about 5 years ago.
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win
great prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] Confusing "mtu-dynamic" warnings
David Sommerseth escreveu:
> Ahh! Sorry about that. Scratch my patch! I didn't think about that this
> could be sent over the wire. But I'm not sure that a search/replace of
> "mtu-dynamic" on the warning string would solve it completely neither, then
> something needs to be done with this part of the code instead:
>
> options.c - line 3567
> -
> #ifdef ENABLE_FRAGMENT
>else if (streq (p[0], "mtu-dynamic"))
> {
>VERIFY_PERMISSION (OPT_P_GENERAL);
>msg (msglevel, "--mtu-dynamic has been replaced by --fragment");
>goto err;
> }
>else if (streq (p[0], "fragment") && p[1])
> {
>VERIFY_PERMISSION (OPT_P_MTU);
>options->fragment = positive_atoi (p[1]);
> }
> #endif
> -
>
> Here we have a "goto err" if mtu-dynamic is used. But we want to allow it,
> because if backward compatibility ... so the code probably would need to be
> something like this:
> -
> #ifdef ENABLE_FRAGMENT
>else if ((streq (p[0], "mtu-dynamic") || streq (p[0], "fragment"))
> && p[1]))
> {
>VERIFY_PERMISSION (OPT_P_GENERAL);
>if( (streq (p[0], "mtu-dynamic")
> {
> msg (msglevel, "--mtu-dynamic has been replaced by
> --fragment");
> }
>
>VERIFY_PERMISSION (OPT_P_MTU);
>options->fragment = positive_atoi (p[1]);
> }
> #endif
> -
>
> This would then preserve backward compatibility and give a warning.
>
> But if this option is not longer supported, and has been deprecated for
> over 5 years, that would mean OpenVPN 1.x-something ... wouldn't it be
> about time to upgrade the software package then? Such old software could
> just as well be a potential security breach.
>
>
> Kind regards,
>
> David S.
>
>
> James Yonan wrote:
>
>> It's not so simple -- the "mtu-dynamic" string is passed across the
>> network which means the patch below will break backward compatibility
>> when one side of the connection is patched but the other side is not. In
>> fact, that's the reason why the options consistency protocol still uses
>> "mtu-dynamic" instead of "fragment". The solution that preserves
>> backward compatibility is to continue using "mtu-dynamic", but do a
>> search/replace of "mtu-dynamic" -> "fragment" on the warning string
>> before it is output.
>>
>> Actually if that's the worst bug you guys can find, we're probably ready
>> to release 2.1 :)
>>
>> James
>>
>> David Sommerseth wrote:
>>
>>> I'm guessing the following patch would correct this
>>>
>>>
>>> --- options.c.orig2008-09-08 08:32:05.0 +0200
>>> +++ options.c2008-09-08 08:31:10.0 +0200
>>> @@ -2236,7 +2236,7 @@
>>>
>>> #ifdef ENABLE_FRAGMENT
>>>if (o->fragment)
>>> -buf_printf (&out, ",mtu-dynamic");
>>> +buf_printf (&out, ",fragment");
>>> #endif
>>>
>>> #ifdef USE_CRYPTO
>>>
>>>
>>> Seems to me like it's just a typo when preparing the argument parsing.
>>>
>>>
>>> kind regards,
>>>
>>> David Sommerseth
>>>
>>>
>>>
>>>
>>> Dave wrote:
>>>
..
> Hi,
>
> When makins some inconsistency mistake with "--fragment" settings, I
> get an error message like:
>
> WARNING: 'mtu-dynamic' is present in local config but missing in
> remote config, local='mtu-dynamic'
>
> I guess this message has to be updates, as "--fragment" is meant to
> replace "--mtu-dynamic" AFAICS.
>
> This is with 2.1_rc9.
>
...
Nice bug! --mtu-dynamic is an ancient option, it was dropped in
version 1.5
about 5 years ago.
-
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win
great prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>>> -
>>> This SF.Net email is sponsored by the Moblin Your Move Developer's
>>> challenge
>>> Build the coolest Linux based applications with Moblin SDK & win great
>>> prizes
>>> Grand prize is a trip for two to an Open Source event anywhere in the
>>> world
>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>> ___
>>> Openvpn-devel mailing list
>>>
