From patchwork Mon Nov 20 11:17:16 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "cron2 (Code Review)" X-Patchwork-Id: 3455 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:50e4:b0:f2:62eb:61c1 with SMTP id r4csp2195164dyd; Mon, 20 Nov 2023 03:18:17 -0800 (PST) X-Google-Smtp-Source: AGHT+IFymXFaoyRG8DoNYNx/4ZBqqGNFbm5VIGPugZqwayphBd73BT1wYTX+9a69bij+m6eePTVe X-Received: by 2002:a05:6a00:2e20:b0:68a:6cbe:35a7 with SMTP id fc32-20020a056a002e2000b0068a6cbe35a7mr7909670pfb.2.1700479097397; Mon, 20 Nov 2023 03:18:17 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1700479097; cv=none; d=google.com; s=arc-20160816; b=iGucx1uP5hWLQxzRac3U3m4STO2gP2W/AcM/FHXvL9lf/bJ7UJzU84ersEsDav0fW3 Z3GqtMU5opmltdOOBEdHFBTiaeUWgsFJfeNaHQ+vaMVM7AKMg3tDX3anZKfvAOoUGuy2 BBDR/QDZV77sk/SRtXASOp51w/8iGtoXZqcyqe+uQl3qa54VhYiqCYwsZhMp9zoiEoYC kFKJu1rIiDCRuj3Dp7iujFqpfDMGpJ+d/wAd44+vaMcO6d4nFq+WvpOe7s9LLZcHoTe5 y87zo/e9vhh5MCuys0z4WW0gw0IWSziQc25lVCmV1P0XRoSJvgEzlbIxs8oR5F+YLIEJ NJPQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=f/jTBCzOTwkRdrjiY7FSPvBsOd8TVJkJ8p6G6VzVKFI=; fh=lm0MLPW7DntlrDqRECIiC9JlE1uPxhepE0URYHIf+eE=; b=igbN/pxyh8c4308qKkEay6L58ZiUFNutDwlAy6czX5ncEDZrou9P8xzdFwlOnsoyor T0EpBCsYwsA1TePTifg75V4Y4qXaXqoMqIwONdYzTnBeHegirhgwIOBSM0dDubHKR9na bhF5fg0GdnplvN80hzsFR4TguspTaAQupRqLv96OghQEX0VnjdUVzuG2i8xdwdflanjP AZrY0NfdcIDKewzG+3UaKA4Wm7aT2bAwvAA5E+IelyKNtw8RTOFX58VFoiyKZXZScr/R RgIdU/mD148DL+hrv5olWzH3ovNZkee+jzH7f+UHkhQi3blJFe7ShvrQCW7zhO9u/WUg JNCg== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Iawyu23d; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=gUFYhw0l; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=QVAx0NYP; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 37-20020a630b25000000b005bdbd32d09bsi7424636pgl.436.2023.11.20.03.18.17 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 20 Nov 2023 03:18:17 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Iawyu23d; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=gUFYhw0l; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=QVAx0NYP; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1r52HR-0003aT-24; Mon, 20 Nov 2023 11:17:29 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1r52HP-0003aM-Vz for openvpn-devel@lists.sourceforge.net; Mon, 20 Nov 2023 11:17:28 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=COjOSaiNZ85+jTNof/FjqGIvvowfa/Z2OyNH8KghEPY=; b=Iawyu23dqwiYSxSU1b8a9tGKH4 K5nbzjtkHD3CB6bacoikUgEdz8I8txog0M78MPzjHFbCoDO0veZN4m7i0s2kaJlqUd+LCe+p1z9VH rOfIQ0b9Yu0umdEjMjPcRfoVNq49YtBhEvNPm2tkVP1XbvrN4Qoh20iDiokuVxyQOD+s=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=COjOSaiNZ85+jTNof/FjqGIvvowfa/Z2OyNH8KghEPY=; b=g UFYhw0lOQxt75brqRE5jH3AmnDZ7L5y/xpbU8EJFcO5IVU+hSPFgSy5YSBJe9ytzSr1SGY+Ew460M s4L8DVtmzHvLJRdY/hYv/gg2l8wmYvoILEn9kH36pi4YI09H86dmCEY5KS6PykVwDeQbKeLB5Fwjb PyO+leffxWB6PwuI=; Received: from mail-lf1-f53.google.com ([209.85.167.53]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1r52HM-00Ax5E-Du for openvpn-devel@lists.sourceforge.net; Mon, 20 Nov 2023 11:17:27 +0000 Received: by mail-lf1-f53.google.com with SMTP id 2adb3069b0e04-507bd19eac8so5475497e87.0 for ; Mon, 20 Nov 2023 03:17:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1700479037; x=1701083837; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=COjOSaiNZ85+jTNof/FjqGIvvowfa/Z2OyNH8KghEPY=; b=QVAx0NYPGtp+npnKbxBcFkgp9Avvb8ryfxK12g9GB0yUsZBJh8zII/FPGjxF0WAltb oRqKgrkKSkVDZ7l4gBwV3SBWWCszD87MhHkTNPn90iN4+5aISVKf6m/rtNLNxqkqKucq 8ArGa+OJivuniiJurx6M8plQEZ6ynjIO/cFcui195rgJj8Lz5tTm9/S6Ko7yiVA9wlAn YWokWhwSODSIqqCKw3jSJ6vgz2Fp/Rva8w/TIh41FA3MQ1Kc0JrvqT4M8ozGQEwSZPwE lXZaj/rL8XDLBfZZeUJ682Qoq8sSCueST/BD06V5N9FKAugELvpwsj66BXw+CbTqBoFP QnNg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700479037; x=1701083837; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=COjOSaiNZ85+jTNof/FjqGIvvowfa/Z2OyNH8KghEPY=; b=ibqCFTyW7rbC9yDYmQtAAXH5yT1x0AJhHY+mbBLa8bUkbEJG6Nb8sV+JuiWPJY2XqA VCqj8NzOOdvcYd9oTbBfFSKfEhcjL5kRvoJa2p2Tuz2OfjxTZeAVJXYKdFvDn7pxLxTO AnwmCtszzb9Xo5U+eYhndK2cD2ZF4g2CESGld/20s4Kvj+3kqSiAZXQg29NGJkv5vnP9 QGZBbZWOq/CyojAbBd5ROW5xEKtx7fhbcv0EInuuh5pewY8WaCdL9f4XX+lVByCTlkJ2 iQ4roYXZi4ZwxnAT56S0MoMKUfiweK7SVS7F2QtKU4mzrkz3yWKhed14svo10nPcI/sL 4HAw== X-Gm-Message-State: AOJu0Yxhx76clKvLQmIt5RcuHuVWbT3nQRiD4uHp7PC2+82lQEC0IK9U XNLOmXtfqbba0RVZ4M51jxJ3VBaCRRagHjrB3Nc= X-Received: by 2002:ac2:59c9:0:b0:509:4599:12d9 with SMTP id x9-20020ac259c9000000b00509459912d9mr5265154lfn.6.1700479037327; Mon, 20 Nov 2023 03:17:17 -0800 (PST) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id co8-20020a0560000a0800b00332c32d7ab2sm4927878wrb.88.2023.11.20.03.17.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 20 Nov 2023 03:17:16 -0800 (PST) From: "plaisthos (Code Review)" X-Google-Original-From: "plaisthos (Code Review)" X-Gerrit-PatchSet: 1 Date: Mon, 20 Nov 2023 11:17:16 +0000 To: flichtenheld Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: I93afff2372c4150d6bddc8c07fd4ebc8bfb0cc3e X-Gerrit-Change-Number: 447 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: a2bb60174a85900c4671bee7ede0b77442d0e7ec References: Message-ID: MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.167.53 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.167.53 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.0 T_SCC_BODY_TEXT_LINE No description available. 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML X-Headers-End: 1r52HM-00Ax5E-Du Subject: [Openvpn-devel] [XS] Change in openvpn[master]: Deprecate tls-exit option X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net, frank@lichtenheld.com Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1783081570375700186?= X-GMAIL-MSGID: =?utf-8?q?1783081570375700186?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/447?usp=email to review the following change. Change subject: Deprecate tls-exit option ...................................................................... Deprecate tls-exit option This option is questionable and I cannot see any reason to actually use it. Change-Id: I93afff2372c4150d6bddc8c07fd4ebc8bfb0cc3e --- M Changes.rst M doc/man-sections/tls-options.rst M src/openvpn/options.c 3 files changed, 7 insertions(+), 2 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/47/447/1 diff --git a/Changes.rst b/Changes.rst index 3676dce..922f78d 100644 --- a/Changes.rst +++ b/Changes.rst @@ -10,6 +10,10 @@ ``--allow-deprecated-insecure-static-crypto`` but will be removed in OpenVPN 2.8. +```tls-exit``` has been deprecated since it is unclear what the use case + for this option is. If you have a valid use case, please reach out since + the will otherwise be removed in the future. + Overview of changes in 2.6 ========================== diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst index 908a42a..da5f362 100644 --- a/doc/man-sections/tls-options.rst +++ b/doc/man-sections/tls-options.rst @@ -553,7 +553,7 @@ code. --tls-exit - Exit on TLS negotiation failure. + **DEPRECATED** Exit on TLS negotiation failure. --tls-export-cert directory Store the certificates the clients use upon connection to this diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 2594b66..5eb1a45 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -608,7 +608,7 @@ "--tran-window n : Transition window -- old key can live this many seconds\n" " after new key renegotiation begins (default=%d).\n" "--single-session: Allow only one session (reset state on restart).\n" - "--tls-exit : Exit on TLS negotiation failure.\n" + "--tls-exit : (DEPRECATED) Exit on TLS negotiation failure.\n" "--tls-auth f [d]: Add an additional layer of authentication on top of the TLS\n" " control channel to protect against attacks on the TLS stack\n" " and DoS attacks.\n" @@ -8960,6 +8960,7 @@ } else if (streq(p[0], "tls-exit") && !p[1]) { + msg(M_WARN, "DEPRECATED OPTION: The option --tls-exit is deprecated."); VERIFY_PERMISSION(OPT_P_GENERAL); options->tls_exit = true; }