From patchwork Fri Oct 17 19:16:06 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4513 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:7d42:b0:72f:f16c:e055 with SMTP id fr2csp4704940mab; Fri, 17 Oct 2025 12:16:31 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWpfoFpPmyq853si3k9GWx/4PjGw6YpO2G3FnK3JUrkskUeIzCJLRwzFS/2L1sVb2MmmBgnycN6Mbw=@openvpn.net X-Google-Smtp-Source: AGHT+IFFNJNM/c7x8m8NT7b2d+BeNANxgmCfrAoIP6QID/smpfnE96f9s/72l7JysNUpmkElCY1u X-Received: by 2002:a05:6830:673a:b0:7a6:41cd:b7d9 with SMTP id 46e09a7af769-7c27cb15f23mr2237466a34.16.1760728591593; Fri, 17 Oct 2025 12:16:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1760728591; cv=none; d=google.com; s=arc-20240605; b=aClbcx7Z+yNSc6W+j3NvVmXOvrybBxWdpVp0NQ8HMv9wA68uqcNB3EQQWfNx5Kv0zN ZfS6h+kRaYS7UQECdtqA01Rdmvp26dARmTdSbEoDVZzb42Bh51yT+srAHObwgESc8DdM OXLNJPwdNyi4DSRMNLnKQa1uiQU6/g5rGiG8S3eFryJzBrWXDQhiYX+2G9phi/IV6RMP 06rJcuxr17EwB3I8f/RVu4/VYTv/fnp30GDqDmWxg5NHiZFmXaU09vjoBEPZpaw8vXSk IKRQtyVAXdnminj5Ov87YUaf9Ec+m3U2bUemvpQNhAI70iJNjDUCkbmgztkFHigaV08D zjtQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=pyKSqJ9Iqy0LeIJ0D7NhMZyQfZf8/pcrlWI21ccQSvM=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=Pa45Xx6Isrcvyp7v7De/Zd0F0IWWdT/1lFHNwJniCvvBRDmHTBoZ1wQk1BPlC6J9hv lFW4CjYybxBDb9d6bhGTBDoFB5mUjMZ6c+AfxCme+7wlZcDPsQmz+QzveUfkWS5Un0dF aiQx+A7RfUXU/pqjXBsCzDyPMqfKRF/sdxWAKkwt5ap4O05BebowyT2E+wsEh7n3mKgi PW8yssvRQ3tpHOadHU+PX3RF6jBR1xMpu9i/c0F6pJ1OPTOJrvEjhIT2vOo5Nso3tcqB 9cwvSDP3AGfW+DNYtaMXnrCNtCFc7oyOgvOtx0EIBGvn7FL77gvphpmvOCAlUqy3wNp3 k93Q==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=Pb3Z3L63; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=etURWtea; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=AJFrUknW; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 46e09a7af769-7c288954a75si76710a34.472.2025.10.17.12.16.31 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 17 Oct 2025 12:16:31 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=Pb3Z3L63; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=etURWtea; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=AJFrUknW; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=pyKSqJ9Iqy0LeIJ0D7NhMZyQfZf8/pcrlWI21ccQSvM=; b=Pb3Z3L63viFrX0q5d8X/J4BbOi 5cTpnU6R/wXSUtjrQeH0lKTNHlv4iiSmFlX38uv3/YDoFpTL+POpHa7Xrol9AwsqmrAzq3W50ObNd acCGzWuFyMu6PI6IBrKcPmuoFdhXGdfJYVSfthP55Dufq+mfYgC7aZB89z8b4RZH0Fh8=; Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1v9pwB-0003W8-Et; Fri, 17 Oct 2025 19:16:27 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1v9pw9-0003W0-Tc for openvpn-devel@lists.sourceforge.net; Fri, 17 Oct 2025 19:16:26 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=yaHNBJuxaxrQaaW1LuZgcvdwl+1Us8JrDsuu2kNG4Gg=; b=etURWtea0xYryS90Eg71ARikDk tWeHwE0x1iihRF1rXmap7H2FsUkarSzLBOnSA+tI8qSk0W9n7w3T83AWjkOyM6MT+tySZUZW/jfOJ YM3gJkkWma3MbmhiUWeEiT4+nX0FuTRBdG9jh15GypWExoW7Sl+XNbrqC3Zeg/kp5KTk=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=yaHNBJuxaxrQaaW1LuZgcvdwl+1Us8JrDsuu2kNG4Gg=; b=AJFrUknWmzDQuIH/kBdOBkJOGT 9uwlODRl8v8gJiAdloMRPXyLDD9OvDv6CdVLl5ATQ/YXFgLmLYTYUxejpfxXva7rhMJMpnSicL52W lSdt9w2Y+n5wy4VlOqxRT1erI7Bm52JyaYodI++hmy2ZQxQNcqvcaN76V2m1sYw839yU=; Received: from [193.149.48.134] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1v9pw8-0001zm-O7 for openvpn-devel@lists.sourceforge.net; Fri, 17 Oct 2025 19:16:25 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 59HJGCoZ015655 for ; Fri, 17 Oct 2025 21:16:12 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 59HJGC81015654 for openvpn-devel@lists.sourceforge.net; Fri, 17 Oct 2025 21:16:12 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Fri, 17 Oct 2025 21:16:06 +0200 Message-ID: <20251017191612.15642-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.49.1 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Ralf Lici Thresholds specified by --reneg-bytes and --reneg-pkts cannot be enforced when DCO is enabled, as it only provides global statistics. Rather than adding complexity to support these options, ignore them when DCO is enabled. Print a warning to inform users and update the manpage accordingly. Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1v9pw8-0001zm-O7 Subject: [Openvpn-devel] [PATCH v3] options: warn and ignore --reneg-bytes/pkts when DCO is enabled X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1846257743730664598?= X-GMAIL-MSGID: =?utf-8?q?1846257743730664598?= From: Ralf Lici Thresholds specified by --reneg-bytes and --reneg-pkts cannot be enforced when DCO is enabled, as it only provides global statistics. Rather than adding complexity to support these options, ignore them when DCO is enabled. Print a warning to inform users and update the manpage accordingly. Change-Id: I7b718a14b81e3759398e7a52fe151102494cc821 Signed-off-by: Ralf Lici Acked-by: Gert Doering Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1280 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1280 This mail reflects revision 3 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/doc/man-sections/renegotiation.rst b/doc/man-sections/renegotiation.rst index 1e7c340..f5eb90d 100644 --- a/doc/man-sections/renegotiation.rst +++ b/doc/man-sections/renegotiation.rst @@ -19,10 +19,18 @@ the SWEET32 attack vector. For more information see the ``--cipher`` option. + When data channel offload (DCO) is enabled, this option is ignored. DCO + does not support configurable renegotiation thresholds; automatic key + renegotiation mechanisms are sufficient for modern ciphers. + --reneg-pkts n Renegotiate data channel key after **n** packets sent and received (disabled by default). + When data channel offload (DCO) is enabled, this option is ignored. DCO + does not support configurable renegotiation thresholds; automatic key + renegotiation mechanisms are sufficient for modern ciphers. + --reneg-sec args Renegotiate data channel key after at most ``max`` seconds (default :code:`3600`) and at least ``min`` seconds (default is 90% of diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 44f68c7..65c6b3b 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -3317,11 +3317,22 @@ dns_options_verify(M_FATAL, &o->dns_options); - if (dco_enabled(o) && o->enable_c2c) + if (dco_enabled(o)) { - msg(M_WARN, "Note: --client-to-client has no effect when using data " - "channel offload: packets are always sent to the VPN " - "interface and then routed based on the system routing table"); + if (o->enable_c2c) + { + msg(M_WARN, "Note: --client-to-client has no effect when using data " + "channel offload: packets are always sent to the VPN " + "interface and then routed based on the system routing table"); + } + + if (o->renegotiate_bytes > 0 || o->renegotiate_packets) + { + msg(M_WARN, "Note: '--reneg-bytes' and '--reneg-pkts' are not supported " + "by data channel offload; automatic key renegotiation " + "mechanisms are sufficient for modern ciphers. " + "Ignoring these options."); + } } }