diff --git a/doc/man-sections/renegotiation.rst b/doc/man-sections/renegotiation.rst index 1e7c340..f5eb90d 100644 --- a/doc/man-sections/renegotiation.rst +++ b/doc/man-sections/renegotiation.rst @@ -19,10 +19,18 @@ the SWEET32 attack vector. For more information see the ``--cipher`` option. + When data channel offload (DCO) is enabled, this option is ignored. DCO + does not support configurable renegotiation thresholds; automatic key + renegotiation mechanisms are sufficient for modern ciphers. + --reneg-pkts n Renegotiate data channel key after **n** packets sent and received (disabled by default). + When data channel offload (DCO) is enabled, this option is ignored. DCO + does not support configurable renegotiation thresholds; automatic key + renegotiation mechanisms are sufficient for modern ciphers. + --reneg-sec args Renegotiate data channel key after at most ``max`` seconds (default :code:`3600`) and at least ``min`` seconds (default is 90% of diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 44f68c7..65c6b3b 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -3317,11 +3317,22 @@ dns_options_verify(M_FATAL, &o->dns_options); - if (dco_enabled(o) && o->enable_c2c) + if (dco_enabled(o)) { - msg(M_WARN, "Note: --client-to-client has no effect when using data " - "channel offload: packets are always sent to the VPN " - "interface and then routed based on the system routing table"); + if (o->enable_c2c) + { + msg(M_WARN, "Note: --client-to-client has no effect when using data " + "channel offload: packets are always sent to the VPN " + "interface and then routed based on the system routing table"); + } + + if (o->renegotiate_bytes > 0 || o->renegotiate_packets) + { + msg(M_WARN, "Note: '--reneg-bytes' and '--reneg-pkts' are not supported " + "by data channel offload; automatic key renegotiation " + "mechanisms are sufficient for modern ciphers. " + "Ignoring these options."); + } } }