[Openvpn-devel,7/7] add message about changing default values

Message ID 20210904095629.6273-8-a@unstable.cc
State Rejected
Headers show
Series
  • change defaults and introduce compat-mode
Related show

Commit Message

Antonio Quartulli Sept. 4, 2021, 9:56 a.m.
With OpenVPN 2.6 there are a number of default settings that are changing
to more modern and safer values.

Some users may not be aware of that and may experience problematic
behaviours, especially when connecting to older peers.

Add warning at startup to notify users about the change.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
---
 src/openvpn/options.c | 6 ++++++
 1 file changed, 6 insertions(+)

Comments

Arne Schwabe Sept. 6, 2021, 1:25 p.m. | #1
Am 04.09.21 um 11:56 schrieb Antonio Quartulli:
> With OpenVPN 2.6 there are a number of default settings that are changing
> to more modern and safer values.
> 
> Some users may not be aware of that and may experience problematic
> behaviours, especially when connecting to older peers.
> 
> Add warning at startup to notify users about the change.
> 
> Signed-off-by: Arne Schwabe <arne@rfc2549.org>
> Signed-off-by: Antonio Quartulli <a@unstable.cc>
> ---
>  src/openvpn/options.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/src/openvpn/options.c b/src/openvpn/options.c
> index 6f6eb73d..26eac836 100644
> --- a/src/openvpn/options.c
> +++ b/src/openvpn/options.c
> @@ -3278,6 +3278,12 @@ options_postprocess_mutate(struct options *o)
>       * when using --pull
>       */
>      pre_connect_save(o);
> +
> +    /* Give a general warning at the end of initialisation that defaults
> +     * have changed */
> +    msg(M_WARN, "Note that modernisation of defaults in OpenVPN 2.6 limits "
> +                "compatibility with old versions. See Changes.rst and "
> +                "--compat-mode in the manual for details.");
>  }
>  
>  /*
> 


Acked-By: Arne Schwabe <arne@rfc2549.org>
Gert Doering Sept. 13, 2021, 12:37 p.m. | #2
Hi,

On Sat, Sep 04, 2021 at 11:56:29AM +0200, Antonio Quartulli wrote:
> Add warning at startup to notify users about the change.
[..]
> +    /* Give a general warning at the end of initialisation that defaults
> +     * have changed */
> +    msg(M_WARN, "Note that modernisation of defaults in OpenVPN 2.6 limits "
> +                "compatibility with old versions. See Changes.rst and "
> +                "--compat-mode in the manual for details.");
>  }

I have my doubts if this is a good way forward.

This warning will be printed on *every single startup* on OpenVPN now.

Is this useful?  Or will people just ignore it.  Like, "all of a sudden
my Tunnelblick shows some giberrish in red at me, but the VPN is working, 
so let's just ignore all warnings now".

I can see that we want to tell users, but every single time, forever?

gert
Jonathan K. Bullard Sept. 13, 2021, 2:20 p.m. | #3
Hi,

On Mon, Sep 13, 2021 at 8:37 AM Gert Doering <gert@greenie.muc.de> wrote:
>
> Hi,
>
> On Sat, Sep 04, 2021 at 11:56:29AM +0200, Antonio Quartulli wrote:
> > Add warning at startup to notify users about the change.
> [..]
> > +    /* Give a general warning at the end of initialisation that defaults
> > +     * have changed */
> > +    msg(M_WARN, "Note that modernisation of defaults in OpenVPN 2.6 limits "
> > +                "compatibility with old versions. See Changes.rst and "
> > +                "--compat-mode in the manual for details.");
> >  }
>
> I have my doubts if this is a good way forward.
>
> This warning will be printed on *every single startup* on OpenVPN now.
>
> Is this useful?  Or will people just ignore it.  Like, "all of a sudden
> my Tunnelblick shows some giberrish in red at me, but the VPN is working,
> so let's just ignore all warnings now".

( Actually, Tunnelblick will show it in **yellow** : )

I don't think the warning will be very useful. Most Tunnelblick users
don't look at the log. Those who do usually ignore warnings. Those who
look at the log and don't ignore warnings often focus on ones which
sound scary but whose benefits usually outweigh the risks or ask why
the VPN works even though there are warnings. (Maybe there's less of a
distinction between warning and error in other languages than there is
in English? Or our translations aren't as clear about the
distinction?)

Tunnelblick warnings usually include a "do not warn about this again"
option, which the OpenVPN log can't include.
Selva Nair Sept. 13, 2021, 4:51 p.m. | #4
Hi

On Mon, Sep 13, 2021 at 10:22 AM Jonathan K. Bullard <jkbullard@gmail.com>
wrote:

> Hi,
>
> On Mon, Sep 13, 2021 at 8:37 AM Gert Doering <gert@greenie.muc.de> wrote:
> >
> > Hi,
> >
> > On Sat, Sep 04, 2021 at 11:56:29AM +0200, Antonio Quartulli wrote:
> > > Add warning at startup to notify users about the change.
> > [..]
> > > +    /* Give a general warning at the end of initialisation that
> defaults
> > > +     * have changed */
> > > +    msg(M_WARN, "Note that modernisation of defaults in OpenVPN 2.6
> limits "
> > > +                "compatibility with old versions. See Changes.rst and
> "
> > > +                "--compat-mode in the manual for details.");
> > >  }
> >
> > I have my doubts if this is a good way forward.
> >
> > This warning will be printed on *every single startup* on OpenVPN now.
> >
> > Is this useful?  Or will people just ignore it.  Like, "all of a sudden
> > my Tunnelblick shows some giberrish in red at me, but the VPN is working,
> > so let's just ignore all warnings now".
>
> ( Actually, Tunnelblick will show it in **yellow** : )
>
> I don't think the warning will be very useful. Most Tunnelblick users
> don't look at the log. Those who do usually ignore warnings. Those who
> look at the log and don't ignore warnings often focus on ones which
> sound scary but whose benefits usually outweigh the risks or ask why
> the VPN works even though there are warnings. (Maybe there's less of a
> distinction between warning and error in other languages than there is
> in English? Or our translations aren't as clear about the
> distinction?)
>

+1


>
> Tunnelblick warnings usually include a "do not warn about this again"
> option, which the OpenVPN log can't include.
>

OpenVPN-GUI for windows will show this in red (I find yellow too hard to
read on light backgrounds). Looks like we also will have to implement this
"do not show this again (or ever?)" feature.

Ideally, this warning should be targeted to cases like a mismatched option
is detected. But that may be hard. What about printing this only when an
"old" client connects (on server) or when an "old" server responds (on
client)? Where "old" = 2.5 or older?

Selva
<div dir="ltr"><div>Hi</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Sep 13, 2021 at 10:22 AM Jonathan K. Bullard &lt;<a href="mailto:jkbullard@gmail.com">jkbullard@gmail.com</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi,<br>
<br>
On Mon, Sep 13, 2021 at 8:37 AM Gert Doering &lt;<a href="mailto:gert@greenie.muc.de" target="_blank">gert@greenie.muc.de</a>&gt; wrote:<br>
&gt;<br>
&gt; Hi,<br>
&gt;<br>
&gt; On Sat, Sep 04, 2021 at 11:56:29AM +0200, Antonio Quartulli wrote:<br>
&gt; &gt; Add warning at startup to notify users about the change.<br>
&gt; [..]<br>
&gt; &gt; +    /* Give a general warning at the end of initialisation that defaults<br>
&gt; &gt; +     * have changed */<br>
&gt; &gt; +    msg(M_WARN, &quot;Note that modernisation of defaults in OpenVPN 2.6 limits &quot;<br>
&gt; &gt; +                &quot;compatibility with old versions. See Changes.rst and &quot;<br>
&gt; &gt; +                &quot;--compat-mode in the manual for details.&quot;);<br>
&gt; &gt;  }<br>
&gt;<br>
&gt; I have my doubts if this is a good way forward.<br>
&gt;<br>
&gt; This warning will be printed on *every single startup* on OpenVPN now.<br>
&gt;<br>
&gt; Is this useful?  Or will people just ignore it.  Like, &quot;all of a sudden<br>
&gt; my Tunnelblick shows some giberrish in red at me, but the VPN is working,<br>
&gt; so let&#39;s just ignore all warnings now&quot;.<br>
<br>
( Actually, Tunnelblick will show it in **yellow** : )<br>
<br>
I don&#39;t think the warning will be very useful. Most Tunnelblick users<br>
don&#39;t look at the log. Those who do usually ignore warnings. Those who<br>
look at the log and don&#39;t ignore warnings often focus on ones which<br>
sound scary but whose benefits usually outweigh the risks or ask why<br>
the VPN works even though there are warnings. (Maybe there&#39;s less of a<br>
distinction between warning and error in other languages than there is<br>
in English? Or our translations aren&#39;t as clear about the<br>
distinction?)<br></blockquote><div><br></div><div>+1</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Tunnelblick warnings usually include a &quot;do not warn about this again&quot;<br>
option, which the OpenVPN log can&#39;t include.<br></blockquote><div> <br></div><div>OpenVPN-GUI for windows will show this in red (I find yellow too hard to read on light backgrounds). Looks like we also will have to implement this &quot;do not show this again (or ever?)&quot; feature.</div><div><br></div><div>Ideally, this warning should be targeted to cases like a mismatched option is detected. But that may be hard. What about printing this only when an &quot;old&quot; client connects (on server) or when an &quot;old&quot; server responds (on client)? Where &quot;old&quot; = 2.5 or older?</div><div><br></div><div>Selva</div></div></div>
Antonio Quartulli Sept. 13, 2021, 7:23 p.m. | #5
Hi,

On 13/09/2021 18:51, Selva Nair wrote:
> Hi
> 
> On Mon, Sep 13, 2021 at 10:22 AM Jonathan K. Bullard
> <jkbullard@gmail.com <mailto:jkbullard@gmail.com>> wrote:
> 
>     Hi,
> 
>     On Mon, Sep 13, 2021 at 8:37 AM Gert Doering <gert@greenie.muc.de
>     <mailto:gert@greenie.muc.de>> wrote:
>     >
>     > Hi,
>     >
>     > On Sat, Sep 04, 2021 at 11:56:29AM +0200, Antonio Quartulli wrote:
>     > > Add warning at startup to notify users about the change.
>     > [..]
>     > > +    /* Give a general warning at the end of initialisation that
>     defaults
>     > > +     * have changed */
>     > > +    msg(M_WARN, "Note that modernisation of defaults in OpenVPN
>     2.6 limits "
>     > > +                "compatibility with old versions. See
>     Changes.rst and "
>     > > +                "--compat-mode in the manual for details.");
>     > >  }
>     >
>     > I have my doubts if this is a good way forward.
>     >
>     > This warning will be printed on *every single startup* on OpenVPN now.
>     >
>     > Is this useful?  Or will people just ignore it.  Like, "all of a
>     sudden
>     > my Tunnelblick shows some giberrish in red at me, but the VPN is
>     working,
>     > so let's just ignore all warnings now".
> 
>     ( Actually, Tunnelblick will show it in **yellow** : )
> 
>     I don't think the warning will be very useful. Most Tunnelblick users
>     don't look at the log. Those who do usually ignore warnings. Those who
>     look at the log and don't ignore warnings often focus on ones which
>     sound scary but whose benefits usually outweigh the risks or ask why
>     the VPN works even though there are warnings. (Maybe there's less of a
>     distinction between warning and error in other languages than there is
>     in English? Or our translations aren't as clear about the
>     distinction?)
> 
> 
> +1
>  
> 
> 
>     Tunnelblick warnings usually include a "do not warn about this again"
>     option, which the OpenVPN log can't include.
> 
>  
> OpenVPN-GUI for windows will show this in red (I find yellow too hard to
> read on light backgrounds). Looks like we also will have to implement
> this "do not show this again (or ever?)" feature.
> 
> Ideally, this warning should be targeted to cases like a mismatched
> option is detected. But that may be hard. What about printing this only
> when an "old" client connects (on server) or when an "old" server
> responds (on client)? Where "old" = 2.5 or older?
> 

IMHO this warning should just not be added.
It creates noise and confusion.

On top of that, we will need an even longer discussion to figure out
when to remove it, even though we know it is not really benefiting users.

I vote for just dropping this patch.
If somebody feels we should find a smarter way to warn the user about
possibly mismatching settings due to new default, then a new patch can
be sent after this patchset is already in.

my 2 cents.

Cheers,
Selva Nair Sept. 13, 2021, 11:28 p.m. | #6
Hi

On Mon, Sep 13, 2021 at 3:23 PM Antonio Quartulli <a@unstable.cc> wrote:

> Hi,
>
> On 13/09/2021 18:51, Selva Nair wrote:
> > Hi
> >
> > On Mon, Sep 13, 2021 at 10:22 AM Jonathan K. Bullard
> > <jkbullard@gmail.com <mailto:jkbullard@gmail.com>> wrote:
> >
> >     Hi,
> >
> >     On Mon, Sep 13, 2021 at 8:37 AM Gert Doering <gert@greenie.muc.de
> >     <mailto:gert@greenie.muc.de>> wrote:
> >     >
> >     > Hi,
> >     >
> >     > On Sat, Sep 04, 2021 at 11:56:29AM +0200, Antonio Quartulli wrote:
> >     > > Add warning at startup to notify users about the change.
> >     > [..]
> >     > > +    /* Give a general warning at the end of initialisation that
> >     defaults
> >     > > +     * have changed */
> >     > > +    msg(M_WARN, "Note that modernisation of defaults in OpenVPN
> >     2.6 limits "
> >     > > +                "compatibility with old versions. See
> >     Changes.rst and "
> >     > > +                "--compat-mode in the manual for details.");
> >     > >  }
> >     >
> >     > I have my doubts if this is a good way forward.
> >     >
> >     > This warning will be printed on *every single startup* on OpenVPN
> now.
> >     >
> >     > Is this useful?  Or will people just ignore it.  Like, "all of a
> >     sudden
> >     > my Tunnelblick shows some giberrish in red at me, but the VPN is
> >     working,
> >     > so let's just ignore all warnings now".
> >
> >     ( Actually, Tunnelblick will show it in **yellow** : )
> >
> >     I don't think the warning will be very useful. Most Tunnelblick users
> >     don't look at the log. Those who do usually ignore warnings. Those
> who
> >     look at the log and don't ignore warnings often focus on ones which
> >     sound scary but whose benefits usually outweigh the risks or ask why
> >     the VPN works even though there are warnings. (Maybe there's less of
> a
> >     distinction between warning and error in other languages than there
> is
> >     in English? Or our translations aren't as clear about the
> >     distinction?)
> >
> >
> > +1
> >
> >
> >
> >     Tunnelblick warnings usually include a "do not warn about this again"
> >     option, which the OpenVPN log can't include.
> >
> >
> > OpenVPN-GUI for windows will show this in red (I find yellow too hard to
> > read on light backgrounds). Looks like we also will have to implement
> > this "do not show this again (or ever?)" feature.
> >
> > Ideally, this warning should be targeted to cases like a mismatched
> > option is detected. But that may be hard. What about printing this only
> > when an "old" client connects (on server) or when an "old" server
> > responds (on client)? Where "old" = 2.5 or older?
> >
>
> IMHO this warning should just not be added.
> It creates noise and confusion.
>
> On top of that, we will need an even longer discussion to figure out
> when to remove it, even though we know it is not really benefiting users.
>
> I vote for just dropping this patch.


+1 to that. My "targeted warnings" comment was meant as a soft way of
saying please drop this.. That said, had not Gert picked this up, I
wouldn't have noticed until the GUI started showing red lines in the logs...

Cheers,

Selva
<div dir="ltr"><div>Hi</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Sep 13, 2021 at 3:23 PM Antonio Quartulli &lt;a@unstable.cc&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi,<br>
<br>
On 13/09/2021 18:51, Selva Nair wrote:<br>
&gt; Hi<br>
&gt; <br>
&gt; On Mon, Sep 13, 2021 at 10:22 AM Jonathan K. Bullard<br>
&gt; &lt;<a href="mailto:jkbullard@gmail.com" target="_blank">jkbullard@gmail.com</a> &lt;mailto:<a href="mailto:jkbullard@gmail.com" target="_blank">jkbullard@gmail.com</a>&gt;&gt; wrote:<br>
&gt; <br>
&gt;     Hi,<br>
&gt; <br>
&gt;     On Mon, Sep 13, 2021 at 8:37 AM Gert Doering &lt;<a href="mailto:gert@greenie.muc.de" target="_blank">gert@greenie.muc.de</a><br>
&gt;     &lt;mailto:<a href="mailto:gert@greenie.muc.de" target="_blank">gert@greenie.muc.de</a>&gt;&gt; wrote:<br>
&gt;     &gt;<br>
&gt;     &gt; Hi,<br>
&gt;     &gt;<br>
&gt;     &gt; On Sat, Sep 04, 2021 at 11:56:29AM +0200, Antonio Quartulli wrote:<br>
&gt;     &gt; &gt; Add warning at startup to notify users about the change.<br>
&gt;     &gt; [..]<br>
&gt;     &gt; &gt; +    /* Give a general warning at the end of initialisation that<br>
&gt;     defaults<br>
&gt;     &gt; &gt; +     * have changed */<br>
&gt;     &gt; &gt; +    msg(M_WARN, &quot;Note that modernisation of defaults in OpenVPN<br>
&gt;     2.6 limits &quot;<br>
&gt;     &gt; &gt; +                &quot;compatibility with old versions. See<br>
&gt;     Changes.rst and &quot;<br>
&gt;     &gt; &gt; +                &quot;--compat-mode in the manual for details.&quot;);<br>
&gt;     &gt; &gt;  }<br>
&gt;     &gt;<br>
&gt;     &gt; I have my doubts if this is a good way forward.<br>
&gt;     &gt;<br>
&gt;     &gt; This warning will be printed on *every single startup* on OpenVPN now.<br>
&gt;     &gt;<br>
&gt;     &gt; Is this useful?  Or will people just ignore it.  Like, &quot;all of a<br>
&gt;     sudden<br>
&gt;     &gt; my Tunnelblick shows some giberrish in red at me, but the VPN is<br>
&gt;     working,<br>
&gt;     &gt; so let&#39;s just ignore all warnings now&quot;.<br>
&gt; <br>
&gt;     ( Actually, Tunnelblick will show it in **yellow** : )<br>
&gt; <br>
&gt;     I don&#39;t think the warning will be very useful. Most Tunnelblick users<br>
&gt;     don&#39;t look at the log. Those who do usually ignore warnings. Those who<br>
&gt;     look at the log and don&#39;t ignore warnings often focus on ones which<br>
&gt;     sound scary but whose benefits usually outweigh the risks or ask why<br>
&gt;     the VPN works even though there are warnings. (Maybe there&#39;s less of a<br>
&gt;     distinction between warning and error in other languages than there is<br>
&gt;     in English? Or our translations aren&#39;t as clear about the<br>
&gt;     distinction?)<br>
&gt; <br>
&gt; <br>
&gt; +1<br>
&gt;  <br>
&gt; <br>
&gt; <br>
&gt;     Tunnelblick warnings usually include a &quot;do not warn about this again&quot;<br>
&gt;     option, which the OpenVPN log can&#39;t include.<br>
&gt; <br>
&gt;  <br>
&gt; OpenVPN-GUI for windows will show this in red (I find yellow too hard to<br>
&gt; read on light backgrounds). Looks like we also will have to implement<br>
&gt; this &quot;do not show this again (or ever?)&quot; feature.<br>
&gt; <br>
&gt; Ideally, this warning should be targeted to cases like a mismatched<br>
&gt; option is detected. But that may be hard. What about printing this only<br>
&gt; when an &quot;old&quot; client connects (on server) or when an &quot;old&quot; server<br>
&gt; responds (on client)? Where &quot;old&quot; = 2.5 or older?<br>
&gt; <br>
<br>
IMHO this warning should just not be added.<br>
It creates noise and confusion.<br>
<br>
On top of that, we will need an even longer discussion to figure out<br>
when to remove it, even though we know it is not really benefiting users.<br>
<br>
I vote for just dropping this patch.</blockquote><div> </div><div>+1 to that. My &quot;targeted warnings&quot; comment was meant as a soft way of saying please drop this.. That said, had not Gert picked this up, I wouldn&#39;t have noticed until the GUI started showing red lines in the logs...</div><div><br></div><div>Cheers,</div><div><br></div><div>Selva</div></div></div>

Patch

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 6f6eb73d..26eac836 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -3278,6 +3278,12 @@  options_postprocess_mutate(struct options *o)
      * when using --pull
      */
     pre_connect_save(o);
+
+    /* Give a general warning at the end of initialisation that defaults
+     * have changed */
+    msg(M_WARN, "Note that modernisation of defaults in OpenVPN 2.6 limits "
+                "compatibility with old versions. See Changes.rst and "
+                "--compat-mode in the manual for details.");
 }
 
 /*