| Message ID | 20251017191612.15642-1-gert@greenie.muc.de |
|---|---|
| State | New |
| Headers | show |
| Series | [Openvpn-devel,v3] options: warn and ignore --reneg-bytes/pkts when DCO is enabled | expand |
We discussed this at length on IRC, and v3 is the result of that - our
handling of AEAD ciphers, both in kernel space and in userland, is
different from "old ciphers" because we auto-honour the given safety
limits for AES key use. Since the kernel only does AEAD, no interface
was made to send other arbitrary reneg-limits - and thus, we just ignore
them in DCO mode.
The new thing in this patch is "OpenVPN will tell you", and so does the
documentation. v1 went for "turn off DCO if this option is used", which
was the wrong thing to do, given the abundance of openvpn config with
stale cruft in them... but, we tell users :-)
Your patch has been applied to the master branch.
commit c9a320649bd4ec43d3f2640f70476178d8fcc660
Author: Ralf Lici
Date: Fri Oct 17 21:16:06 2025 +0200
options: warn and ignore --reneg-bytes/pkts when DCO is enabled
Signed-off-by: Ralf Lici <ralf@mandelbit.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1280
Message-Id: <20251017191612.15642-1-gert@greenie.muc.de>
URL: https://sourceforge.net/p/openvpn/mailman/message/59248122/
Signed-off-by: Gert Doering <gert@greenie.muc.de>
--
kind regards,
Gert Doering
diff --git a/doc/man-sections/renegotiation.rst b/doc/man-sections/renegotiation.rst index 1e7c340..f5eb90d 100644 --- a/doc/man-sections/renegotiation.rst +++ b/doc/man-sections/renegotiation.rst @@ -19,10 +19,18 @@ the SWEET32 attack vector. For more information see the ``--cipher`` option. + When data channel offload (DCO) is enabled, this option is ignored. DCO + does not support configurable renegotiation thresholds; automatic key + renegotiation mechanisms are sufficient for modern ciphers. + --reneg-pkts n Renegotiate data channel key after **n** packets sent and received (disabled by default). + When data channel offload (DCO) is enabled, this option is ignored. DCO + does not support configurable renegotiation thresholds; automatic key + renegotiation mechanisms are sufficient for modern ciphers. + --reneg-sec args Renegotiate data channel key after at most ``max`` seconds (default :code:`3600`) and at least ``min`` seconds (default is 90% of diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 44f68c7..65c6b3b 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -3317,11 +3317,22 @@ dns_options_verify(M_FATAL, &o->dns_options); - if (dco_enabled(o) && o->enable_c2c) + if (dco_enabled(o)) { - msg(M_WARN, "Note: --client-to-client has no effect when using data " - "channel offload: packets are always sent to the VPN " - "interface and then routed based on the system routing table"); + if (o->enable_c2c) + { + msg(M_WARN, "Note: --client-to-client has no effect when using data " + "channel offload: packets are always sent to the VPN " + "interface and then routed based on the system routing table"); + } + + if (o->renegotiate_bytes > 0 || o->renegotiate_packets) + { + msg(M_WARN, "Note: '--reneg-bytes' and '--reneg-pkts' are not supported " + "by data channel offload; automatic key renegotiation " + "mechanisms are sufficient for modern ciphers. " + "Ignoring these options."); + } } }