Message ID | 20221210134427.1433419-1-arne@rfc2549.org |
---|---|
State | Accepted |
Headers | show |
Series | [Openvpn-devel] Disable DCO when TLS mode is not used | expand |
Acked-by: Gert Doering <gert@greenie.muc.de> Yeah, thanks :-) (tested on the "p2p --secret" server, still does the right thing. Have no "no secrets at all" setup, but from stare-at-code I see no reason why this wouldn't work as well) Dec 12 09:29:15 ubuntu2004 tun-udp-p2p[1272956]: No tls-client or tls-server option in configuration detected. Disabling data channel offload. Dec 12 09:29:15 ubuntu2004 tun-udp-p2p[1272956]: DEPRECATION: No tls-client or tls-server option in configuration detected. OpenVPN 2.7 will remove the functionality to run a VPN without TLS. See the examples section in the manual page for examples of a similar quick setup with peer-fingerprint. .. Dec 12 09:29:15 ubuntu2004 tun-udp-p2p[1272957]: TUN/TAP device tun5 opened Your patch has been applied to the master and release/2.6 branch. commit a666668f064c7ff57cdebb3afceb72e1263a3ba9 (master) commit 9b277f426c7d295c8f354496e8e226fc26ff7b1c (release/2.6) Author: Arne Schwabe Date: Sat Dec 10 14:44:27 2022 +0100 Disable DCO when TLS mode is not used Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20221210134427.1433419-1-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25641.html Signed-off-by: Gert Doering <gert@greenie.muc.de> -- kind regards, Gert Doering
Hi, On 12/12/2022 09:32, Gert Doering wrote: > Acked-by: Gert Doering <gert@greenie.muc.de> > > Yeah, thanks :-) (tested on the "p2p --secret" server, still does the > right thing. Have no "no secrets at all" setup, but from stare-at-code > I see no reason why this wouldn't work as well) I know I am late to the party - but still wanted to give my virtual ACK Acked-by: Antonio Quartulli <a@unstable.cc> Thanks for cleaning after my half baked fix! Cheers,
diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index 6358d53f9..5cce3f641 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn/dco.c @@ -275,9 +275,10 @@ dco_check_startup_option(int msglevel, const struct options *o) return false; } - if (o->shared_secret_file) + if (!o->tls_client && !o->tls_server) { - msg(msglevel, "--secret is set. Disabling data channel offload"); + msg(msglevel, "No tls-client or tls-server option in configuration " + "detected. Disabling data channel offload."); return false; }
This disables DCO in both --secret mode and when no encryption/TLS is used. Also aligns the message with the deprecation warning we have in place. Signed-off-by: Arne Schwabe <arne@rfc2549.org> --- src/openvpn/dco.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)