diff mbox series

[Openvpn-devel] Disable DCO when TLS mode is not used

Message ID	20221210134427.1433419-1-arne@rfc2549.org
State	Accepted
Headers	Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; From: Arne Schwabe <arne@rfc2549.org> To: openvpn-devel@lists.sourceforge.net Date: Sat, 10 Dec 2022 14:44:27 +0100 Message-Id: <20221210134427.1433419-1-arne@rfc2549.org> MIME-Version: 1.0 preview: This disables DCO in both --secret mode and when no encryption/TLS is used. Also aligns the message with the deprecation warning we have in place. Signed-off-by: Arne Schwabe <arne@rfc2549.org> --- src/openvpn/dco.c \| 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different Subject: [Openvpn-devel] [PATCH] Disable DCO when TLS mode is not used Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox
Series	[Openvpn-devel] Disable DCO when TLS mode is not used \| [Openvpn-devel] Disable DCO when TLS mode is not used

Commit Message

Arne Schwabe Dec. 10, 2022, 1:44 p.m. UTC

  This disables DCO in both --secret mode and when no encryption/TLS is
used. Also aligns the message with the deprecation warning we have in
place.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
 src/openvpn/dco.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

Comments

Gert Doering Dec. 12, 2022, 8:32 a.m. UTC | #1

Acked-by: Gert Doering <gert@greenie.muc.de>

Yeah, thanks :-) (tested on the "p2p --secret" server, still does the
right thing.  Have no "no secrets at all" setup, but from stare-at-code
I see no reason why this wouldn't work as well)

Dec 12 09:29:15 ubuntu2004 tun-udp-p2p[1272956]: No tls-client or tls-server option in configuration detected. Disabling data channel offload.
Dec 12 09:29:15 ubuntu2004 tun-udp-p2p[1272956]: DEPRECATION: No tls-client or tls-server option in configuration detected. OpenVPN 2.7 will remove the functionality to run a VPN without TLS. See the examples section in the manual page for examples of a similar quick setup with peer-fingerprint.
..
Dec 12 09:29:15 ubuntu2004 tun-udp-p2p[1272957]: TUN/TAP device tun5 opened


Your patch has been applied to the master and release/2.6 branch.

commit a666668f064c7ff57cdebb3afceb72e1263a3ba9 (master)
commit 9b277f426c7d295c8f354496e8e226fc26ff7b1c (release/2.6)
Author: Arne Schwabe
Date:   Sat Dec 10 14:44:27 2022 +0100

     Disable DCO when TLS mode is not used

     Signed-off-by: Arne Schwabe <arne@rfc2549.org>
     Acked-by: Gert Doering <gert@greenie.muc.de>
     Message-Id: <20221210134427.1433419-1-arne@rfc2549.org>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25641.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering

Antonio Quartulli Dec. 12, 2022, 8:46 p.m. UTC | #2

Hi,

On 12/12/2022 09:32, Gert Doering wrote:
> Acked-by: Gert Doering <gert@greenie.muc.de>
> 
> Yeah, thanks :-) (tested on the "p2p --secret" server, still does the
> right thing.  Have no "no secrets at all" setup, but from stare-at-code
> I see no reason why this wouldn't work as well)

I know I am late to the party - but still wanted to give my virtual ACK

Acked-by: Antonio Quartulli <a@unstable.cc>

Thanks for cleaning after my half baked fix!

Cheers,

diff mbox series

Patch

diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
index 6358d53f9..5cce3f641 100644
--- a/src/openvpn/dco.c
+++ b/src/openvpn/dco.c
@@ -275,9 +275,10 @@  dco_check_startup_option(int msglevel, const struct options *o)
         return false;
     }
 
-    if (o->shared_secret_file)
+    if (!o->tls_client && !o->tls_server)
     {
-        msg(msglevel, "--secret is set. Disabling data channel offload");
+        msg(msglevel, "No tls-client or tls-server option in configuration "
+            "detected. Disabling data channel offload.");
         return false;
     }