Menu
▾
▴
openvpn-devel — OpenVPN developers list
You can subscribe to this list here.
| 2002 |
Jan
|
Feb
|
Mar
|
Apr
(24) |
May
(14) |
Jun
(29) |
Jul
(33) |
Aug
(3) |
Sep
(8) |
Oct
(18) |
Nov
(1) |
Dec
(10) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 |
Jan
(3) |
Feb
(33) |
Mar
(7) |
Apr
(28) |
May
(30) |
Jun
(5) |
Jul
(10) |
Aug
(7) |
Sep
(32) |
Oct
(41) |
Nov
(20) |
Dec
(10) |
| 2004 |
Jan
(24) |
Feb
(18) |
Mar
(57) |
Apr
(40) |
May
(55) |
Jun
(48) |
Jul
(77) |
Aug
(15) |
Sep
(56) |
Oct
(80) |
Nov
(74) |
Dec
(52) |
| 2005 |
Jan
(38) |
Feb
(42) |
Mar
(39) |
Apr
(56) |
May
(79) |
Jun
(73) |
Jul
(16) |
Aug
(23) |
Sep
(68) |
Oct
(77) |
Nov
(52) |
Dec
(27) |
| 2006 |
Jan
(27) |
Feb
(18) |
Mar
(51) |
Apr
(62) |
May
(28) |
Jun
(50) |
Jul
(36) |
Aug
(33) |
Sep
(47) |
Oct
(50) |
Nov
(77) |
Dec
(13) |
| 2007 |
Jan
(15) |
Feb
(8) |
Mar
(14) |
Apr
(18) |
May
(25) |
Jun
(16) |
Jul
(16) |
Aug
(19) |
Sep
(32) |
Oct
(17) |
Nov
(5) |
Dec
(5) |
| 2008 |
Jan
(64) |
Feb
(25) |
Mar
(25) |
Apr
(6) |
May
(28) |
Jun
(20) |
Jul
(10) |
Aug
(27) |
Sep
(28) |
Oct
(59) |
Nov
(37) |
Dec
(43) |
| 2009 |
Jan
(40) |
Feb
(25) |
Mar
(12) |
Apr
(57) |
May
(46) |
Jun
(29) |
Jul
(39) |
Aug
(10) |
Sep
(20) |
Oct
(42) |
Nov
(50) |
Dec
(57) |
| 2010 |
Jan
(82) |
Feb
(165) |
Mar
(256) |
Apr
(260) |
May
(36) |
Jun
(87) |
Jul
(53) |
Aug
(89) |
Sep
(107) |
Oct
(51) |
Nov
(88) |
Dec
(117) |
| 2011 |
Jan
(69) |
Feb
(60) |
Mar
(113) |
Apr
(71) |
May
(67) |
Jun
(90) |
Jul
(88) |
Aug
(90) |
Sep
(48) |
Oct
(64) |
Nov
(69) |
Dec
(118) |
| 2012 |
Jan
(49) |
Feb
(528) |
Mar
(351) |
Apr
(190) |
May
(238) |
Jun
(193) |
Jul
(104) |
Aug
(100) |
Sep
(57) |
Oct
(41) |
Nov
(47) |
Dec
(51) |
| 2013 |
Jan
(94) |
Feb
(57) |
Mar
(96) |
Apr
(105) |
May
(77) |
Jun
(102) |
Jul
(27) |
Aug
(81) |
Sep
(32) |
Oct
(53) |
Nov
(127) |
Dec
(65) |
| 2014 |
Jan
(113) |
Feb
(59) |
Mar
(104) |
Apr
(259) |
May
(70) |
Jun
(70) |
Jul
(146) |
Aug
(45) |
Sep
(58) |
Oct
(149) |
Nov
(77) |
Dec
(83) |
| 2015 |
Jan
(53) |
Feb
(66) |
Mar
(86) |
Apr
(50) |
May
(135) |
Jun
(76) |
Jul
(151) |
Aug
(83) |
Sep
(97) |
Oct
(262) |
Nov
(245) |
Dec
(231) |
| 2016 |
Jan
(131) |
Feb
(233) |
Mar
(97) |
Apr
(138) |
May
(221) |
Jun
(254) |
Jul
(92) |
Aug
(248) |
Sep
(168) |
Oct
(275) |
Nov
(477) |
Dec
(445) |
| 2017 |
Jan
(218) |
Feb
(217) |
Mar
(146) |
Apr
(172) |
May
(216) |
Jun
(252) |
Jul
(164) |
Aug
(192) |
Sep
(190) |
Oct
(143) |
Nov
(255) |
Dec
(182) |
| 2018 |
Jan
(295) |
Feb
(164) |
Mar
(113) |
Apr
(147) |
May
(64) |
Jun
(262) |
Jul
(184) |
Aug
(90) |
Sep
(69) |
Oct
(364) |
Nov
(102) |
Dec
(101) |
| 2019 |
Jan
(119) |
Feb
(64) |
Mar
(64) |
Apr
(102) |
May
(57) |
Jun
(154) |
Jul
(84) |
Aug
(81) |
Sep
(76) |
Oct
(102) |
Nov
(233) |
Dec
(89) |
| 2020 |
Jan
(38) |
Feb
(170) |
Mar
(155) |
Apr
(172) |
May
(120) |
Jun
(223) |
Jul
(461) |
Aug
(227) |
Sep
(268) |
Oct
(113) |
Nov
(56) |
Dec
(124) |
| 2021 |
Jan
(121) |
Feb
(48) |
Mar
(334) |
Apr
(345) |
May
(207) |
Jun
(136) |
Jul
(71) |
Aug
(112) |
Sep
(122) |
Oct
(173) |
Nov
(184) |
Dec
(223) |
| 2022 |
Jan
(197) |
Feb
(206) |
Mar
(156) |
Apr
(212) |
May
(192) |
Jun
(170) |
Jul
(143) |
Aug
(380) |
Sep
(182) |
Oct
(148) |
Nov
(128) |
Dec
(269) |
| 2023 |
Jan
(248) |
Feb
(196) |
Mar
(264) |
Apr
(36) |
May
(123) |
Jun
(66) |
Jul
(120) |
Aug
(48) |
Sep
(157) |
Oct
(198) |
Nov
(300) |
Dec
(273) |
| 2024 |
Jan
(271) |
Feb
(147) |
Mar
(207) |
Apr
(78) |
May
(107) |
Jun
(168) |
Jul
(151) |
Aug
(51) |
Sep
(438) |
Oct
(221) |
Nov
(302) |
Dec
(357) |
| 2025 |
Jan
(451) |
Feb
(219) |
Mar
(326) |
Apr
(232) |
May
(306) |
Jun
(181) |
Jul
(452) |
Aug
(282) |
Sep
(620) |
Oct
(793) |
Nov
(682) |
Dec
(54) |
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-12-05 17:58:04
|
Attention is currently required from: plaisthos.
Hello plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1417?usp=email
to look at the new patch set (#3).
Change subject: CMake: For VS build, switch from /W2 to /W3
......................................................................
CMake: For VS build, switch from /W2 to /W3
But exclude the added checks that currently have failures
so that we can keep /WX enabled.
Basically this excludes -Wconversion and -Wsign-compare,
as expected from our GCC/Clang flags.
Github: #382
Change-Id: Iffc114939cb37129057e9c4864fae9e09c3c7fe4
Signed-off-by: Frank Lichtenheld <fr...@li...>
---
M CMakeLists.txt
1 file changed, 4 insertions(+), 1 deletion(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/17/1417/3
diff --git a/CMakeLists.txt b/CMakeLists.txt
index b3142e4..906fa04 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -85,9 +85,12 @@
if (USE_WERROR)
add_compile_options(/WX)
endif ()
+ # C4018: signed/unsigned mismatch
+ # C4244: conversion from 'type1' to 'type2', possible loss of data
+ # C4267: conversion from 'size_t' to 'type', possible loss of data
add_compile_options(
/MP
- /W2
+ /W3 /wd4018 /wd4267 /wd4244
/sdl
/Qspectre
/guard:cf
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1417?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newpatchset
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Iffc114939cb37129057e9c4864fae9e09c3c7fe4
Gerrit-Change-Number: 1417
Gerrit-PatchSet: 3
Gerrit-Owner: flichtenheld <fr...@li...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
|
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-12-05 16:11:16
|
Attention is currently required from: plaisthos.
Hello plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1417?usp=email
to look at the new patch set (#2).
Change subject: CMake: For VS build, document what we're missing from /W3
......................................................................
CMake: For VS build, document what we're missing from /W3
Basically -Wconversion and -Wsign-compare, so as expected.
Github: #382
Change-Id: Iffc114939cb37129057e9c4864fae9e09c3c7fe4
Signed-off-by: Frank Lichtenheld <fr...@li...>
---
M CMakeLists.txt
1 file changed, 4 insertions(+), 1 deletion(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/17/1417/2
diff --git a/CMakeLists.txt b/CMakeLists.txt
index b3142e4..906fa04 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -85,9 +85,12 @@
if (USE_WERROR)
add_compile_options(/WX)
endif ()
+ # C4018: signed/unsigned mismatch
+ # C4244: conversion from 'type1' to 'type2', possible loss of data
+ # C4267: conversion from 'size_t' to 'type', possible loss of data
add_compile_options(
/MP
- /W2
+ /W3 /wd4018 /wd4267 /wd4244
/sdl
/Qspectre
/guard:cf
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1417?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newpatchset
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Iffc114939cb37129057e9c4864fae9e09c3c7fe4
Gerrit-Change-Number: 1417
Gerrit-PatchSet: 2
Gerrit-Owner: flichtenheld <fr...@li...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
|
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-12-05 14:48:43
|
Attention is currently required from: plaisthos.
Hello plaisthos,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/1417?usp=email
to review the following change.
Change subject: CMake: For VS build, document what we're missing from /W3
......................................................................
CMake: For VS build, document what we're missing from /W3
Basically -Wconversion and -Wsign-compare, so as expected.
Change-Id: Iffc114939cb37129057e9c4864fae9e09c3c7fe4
Signed-off-by: Frank Lichtenheld <fr...@li...>
---
M CMakeLists.txt
1 file changed, 4 insertions(+), 1 deletion(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/17/1417/1
diff --git a/CMakeLists.txt b/CMakeLists.txt
index b3142e4..906fa04 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -85,9 +85,12 @@
if (USE_WERROR)
add_compile_options(/WX)
endif ()
+ # C4018: signed/unsigned mismatch
+ # C4244: conversion from 'type1' to 'type2', possible loss of data
+ # C4267: conversion from 'size_t' to 'type', possible loss of data
add_compile_options(
/MP
- /W2
+ /W3 /wd4018 /wd4267 /wd4244
/sdl
/Qspectre
/guard:cf
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1417?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newchange
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Iffc114939cb37129057e9c4864fae9e09c3c7fe4
Gerrit-Change-Number: 1417
Gerrit-PatchSet: 1
Gerrit-Owner: flichtenheld <fr...@li...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
|
|
From: cron2 (C. Review) <ge...@op...> - 2025-12-04 15:01:59
|
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/1369?usp=email ) Change subject: Fix dco with null cipher being enabled without auth none ...................................................................... Fix dco with null cipher being enabled without auth none This is a corner case and only the FreeBSD DCO module support the none encryption but as long as it supports it, we should only enable it when the configuration actually allows to enable it. Change-Id: I1104044701145fa37cea857e2e0e0fcac7a2bee3 Signed-off-by: Arne Schwabe <ar...@rf...> Acked-by: Antonio Quartulli <an...@ma...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1369 Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg34847.html Signed-off-by: Gert Doering <ge...@gr...> --- M src/openvpn/dco.c 1 file changed, 12 insertions(+), 0 deletions(-) diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index 7abdad3..6a1a5c9 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn/dco.c @@ -474,6 +474,18 @@ gc_free(&gc); return false; } + /* FreeBSD supports none as cipher type but requires auth none to be + * be also enabled */ + if (strcmp(token, "none") == 0 && strcmp(o->authname, "none") != 0) + { + msg(msglevel, + "Note: cipher '%s' in --data-ciphers is only supported " + "with --auth=none by ovpn-dco, disabling data channel " + "offload.", + token); + gc_free(&gc); + return false; + } } gc_free(&gc); -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1369?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: merged Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I1104044701145fa37cea857e2e0e0fcac7a2bee3 Gerrit-Change-Number: 1369 Gerrit-PatchSet: 3 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: ordex <an...@ma...> Gerrit-CC: openvpn-devel <ope...@li...> |
|
From: cron2 (C. Review) <ge...@op...> - 2025-12-04 15:01:57
|
cron2 has uploaded a new patch set (#3) to the change originally created by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/1369?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by ordex Change subject: Fix dco with null cipher being enabled without auth none ...................................................................... Fix dco with null cipher being enabled without auth none This is a corner case and only the FreeBSD DCO module support the none encryption but as long as it supports it, we should only enable it when the configuration actually allows to enable it. Change-Id: I1104044701145fa37cea857e2e0e0fcac7a2bee3 Signed-off-by: Arne Schwabe <ar...@rf...> Acked-by: Antonio Quartulli <an...@ma...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1369 Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg34847.html Signed-off-by: Gert Doering <ge...@gr...> --- M src/openvpn/dco.c 1 file changed, 12 insertions(+), 0 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/69/1369/3 diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index 7abdad3..6a1a5c9 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn/dco.c @@ -474,6 +474,18 @@ gc_free(&gc); return false; } + /* FreeBSD supports none as cipher type but requires auth none to be + * be also enabled */ + if (strcmp(token, "none") == 0 && strcmp(o->authname, "none") != 0) + { + msg(msglevel, + "Note: cipher '%s' in --data-ciphers is only supported " + "with --auth=none by ovpn-dco, disabling data channel " + "offload.", + token); + gc_free(&gc); + return false; + } } gc_free(&gc); -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1369?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: newpatchset Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I1104044701145fa37cea857e2e0e0fcac7a2bee3 Gerrit-Change-Number: 1369 Gerrit-PatchSet: 3 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: ordex <an...@ma...> Gerrit-CC: openvpn-devel <ope...@li...> |
|
From: Gert D. <ge...@gr...> - 2025-12-04 15:01:49
|
We know everything about corners inside corner cases!
But we also do them right!
I have not tested this for real - it's fairly trivial anyway, and it has
no memory leaks anymore :-) - the use case is "testing" or "I just need
a tunnel with a more dynamic endpoint than statically-configured GRE,
no crypto needed, and minimum overhead required". Whether or not this is
a good idea is not addressed by the patch, and OpenVPN itself *will* print
a big fat warning when trying to do "cipher none".
Your patch has been applied to the master branch.
commit 4ff746ad87ca5aa7b2058c9332622fc86551c0c8
Author: Arne Schwabe
Date: Thu Dec 4 14:45:16 2025 +0100
Fix dco with null cipher being enabled without auth none
Signed-off-by: Arne Schwabe <ar...@rf...>
Acked-by: Antonio Quartulli <an...@ma...>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1369
Message-Id: <202...@gr...>
URL: https://www.mail-archive.com/ope...@li.../msg34847.html
Signed-off-by: Gert Doering <ge...@gr...>
--
kind regards,
Gert Doering
|
|
From: Gert D. <ge...@gr...> - 2025-12-04 14:17:32
|
Hi,
On Sat, Nov 29, 2025 at 07:08:09PM +0100, Simon Matter via Openvpn-devel wrote:
> The patch is attached to this email. Would be nice if it was considered.
I have turned this into a proper commit with all the extra references
we want to have in our codebase.
commit 864aab8a6cb9c473629bab2b6d5d0338d2d64186 (HEAD -> master)
Author: Simon Matter <sim...@in...>
Date: Thu Dec 4 15:05:27 2025 +0100
Add CAP_SYS_NICE to the positive list in systemd service files
This is necessary to make the ``--nice n`` option work for OpenVPN
instances started by systemd.
Github: closes OpenVPN/openvpn#834
Signed-off-by: Simon Matter <sim...@in...>
Acked-By: Arne Schwabe <ar...@rf...>
Message-Id: <f58...@xx...>
URL: https://www.mail-archive.com/ope...@li.../msg34803.html
Signed-off-by: Gert Doering <ge...@gr...>
... for the next patch, please learn how to use git for simple changes
like this - who can do a "diff -u oldfile newfile" can also do a
"git commit ; git format-patch -1" to produce a patch with sufficient
git stuff around that I have to spend less time on it.
From there to "git send-email --to=...@li... -1"
it's a very small step, and then everything is nearly automatic :-)
I do understand that "git is a huge thing to learn" - and it is, but
hardly anyone really needs to understand all the details. For most cases,
a few commands are enough
$ git clone https://github.com/OpenVPN/openvpn.git
$ cd openvpn
openvpn$ vi <somefiles>
openvpn$ git commit -s <somefiles> # make a commit from that change
openvpn$ git show # look at that commit
openvpn$ git format-patch -1 # make a nice patch file out of it
gert
PS: yes, this is all about putting burdens on other people's shoulders -
you want us to do something, we want you to make this less time consuming
for us.
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany ge...@gr...
|
|
From: cron2 (C. Review) <ge...@op...> - 2025-12-04 14:00:49
|
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/1416?usp=email ) Change subject: Add a section about wolfSSL GPLv3 and point out missing TLS PRF support ...................................................................... Add a section about wolfSSL GPLv3 and point out missing TLS PRF support Change-Id: I4f9a6baf2bdb45e5b79bf13c9f6fce3b7a2e982c Signed-off-by: Arne Schwabe <ar...@rf...> Acked-by: Gert Doering <ge...@gr...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1416 Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg34840.html Signed-off-by: Gert Doering <ge...@gr...> --- M README.wolfssl 1 file changed, 10 insertions(+), 0 deletions(-) diff --git a/README.wolfssl b/README.wolfssl index 3918d0f..3e531ae 100644 --- a/README.wolfssl +++ b/README.wolfssl @@ -28,7 +28,17 @@ * blowfish support (BF-CBC), you must use something like cipher AES-128-CBC to avoid trying to use BF-CBC * Windows CryptoAPI support + * No TLS1.0 PRF support (No compaitbility with OpenVPN 2.5 or older or + other build that do not support TLS EKM) + +************************************************************************* +Newer wolfSSL versions (5.8.2 and newer) are GPLv3 licensed and this license is not +compatible with OpenVPN's GPLv2 license. + +However wolfSSL Inc has granted an exception to combine the wolfSSL library +with OpenVPN and OpenVPN-NL (https://github.com/wolfSSL/wolfssl/blob/master/LICENSING) +with version 5.8.4 and later. ************************************************************************* To build WolfSSL with post-quantum KEMs built in, the following command is used: -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1416?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: merged Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I4f9a6baf2bdb45e5b79bf13c9f6fce3b7a2e982c Gerrit-Change-Number: 1416 Gerrit-PatchSet: 2 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-CC: openvpn-devel <ope...@li...> |
|
From: cron2 (C. Review) <ge...@op...> - 2025-12-04 14:00:48
|
cron2 has uploaded a new patch set (#2) to the change originally created by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/1416?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by cron2 Change subject: Add a section about wolfSSL GPLv3 and point out missing TLS PRF support ...................................................................... Add a section about wolfSSL GPLv3 and point out missing TLS PRF support Change-Id: I4f9a6baf2bdb45e5b79bf13c9f6fce3b7a2e982c Signed-off-by: Arne Schwabe <ar...@rf...> Acked-by: Gert Doering <ge...@gr...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1416 Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg34840.html Signed-off-by: Gert Doering <ge...@gr...> --- M README.wolfssl 1 file changed, 10 insertions(+), 0 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/16/1416/2 diff --git a/README.wolfssl b/README.wolfssl index 3918d0f..3e531ae 100644 --- a/README.wolfssl +++ b/README.wolfssl @@ -28,7 +28,17 @@ * blowfish support (BF-CBC), you must use something like cipher AES-128-CBC to avoid trying to use BF-CBC * Windows CryptoAPI support + * No TLS1.0 PRF support (No compaitbility with OpenVPN 2.5 or older or + other build that do not support TLS EKM) + +************************************************************************* +Newer wolfSSL versions (5.8.2 and newer) are GPLv3 licensed and this license is not +compatible with OpenVPN's GPLv2 license. + +However wolfSSL Inc has granted an exception to combine the wolfSSL library +with OpenVPN and OpenVPN-NL (https://github.com/wolfSSL/wolfssl/blob/master/LICENSING) +with version 5.8.4 and later. ************************************************************************* To build WolfSSL with post-quantum KEMs built in, the following command is used: -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1416?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: newpatchset Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I4f9a6baf2bdb45e5b79bf13c9f6fce3b7a2e982c Gerrit-Change-Number: 1416 Gerrit-PatchSet: 2 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-CC: openvpn-devel <ope...@li...> |
|
From: Gert D. <ge...@gr...> - 2025-12-04 14:00:29
|
Documentation improvements are always welcome :-)
Your patch has been applied to the master branch.
commit 603fe533a429e99f6b9e39304e0a1a0391af0547
Author: Arne Schwabe
Date: Thu Dec 4 13:42:16 2025 +0100
Add a section about wolfSSL GPLv3 and point out missing TLS PRF support
Signed-off-by: Arne Schwabe <ar...@rf...>
Acked-by: Gert Doering <ge...@gr...>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1416
Message-Id: <202...@gr...>
URL: https://www.mail-archive.com/ope...@li.../msg34840.html
Signed-off-by: Gert Doering <ge...@gr...>
--
kind regards,
Gert Doering
|
|
From: Gert D. <ge...@gr...> - 2025-12-04 13:45:34
|
From: Arne Schwabe <ar...@rf...> This is a corner case and only the FreeBSD DCO module support the none encryption but as long as it supports it, we should only enable it when the configuration actually allows to enable it. Change-Id: I1104044701145fa37cea857e2e0e0fcac7a2bee3 Signed-off-by: Arne Schwabe <ar...@rf...> Acked-by: Antonio Quartulli <an...@ma...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1369 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1369 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Antonio Quartulli <an...@ma...> diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index 7abdad3..6a1a5c9 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn/dco.c @@ -474,6 +474,18 @@ gc_free(&gc); return false; } + /* FreeBSD supports none as cipher type but requires auth none to be + * be also enabled */ + if (strcmp(token, "none") == 0 && strcmp(o->authname, "none") != 0) + { + msg(msglevel, + "Note: cipher '%s' in --data-ciphers is only supported " + "with --auth=none by ovpn-dco, disabling data channel " + "offload.", + token); + gc_free(&gc); + return false; + } } gc_free(&gc); |
|
From: cron2 (C. Review) <ge...@op...> - 2025-12-04 13:45:24
|
Attention is currently required from: plaisthos. cron2 has posted comments on this change by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/1369?usp=email ) Change subject: Fix dco with null cipher being enabled without auth none ...................................................................... Patch Set 2: -Code-Review -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1369?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I1104044701145fa37cea857e2e0e0fcac7a2bee3 Gerrit-Change-Number: 1369 Gerrit-PatchSet: 2 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: ordex <an...@ma...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Comment-Date: Thu, 04 Dec 2025 13:45:09 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes |
|
From: cron2 (C. Review) <ge...@op...> - 2025-12-04 13:24:12
|
cron2 has uploaded a new patch set (#3) to the change originally created by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/1190?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by flichtenheld, Code-Review-1 by ordex Change subject: Clarify some code in epoch with better comments ...................................................................... Clarify some code in epoch with better comments Change-Id: I34e6b680618a52003d8408852d415c8aeac01feb Signed-off-by: Arne Schwabe <ar...@rf...> Acked-by: Frank Lichtenheld <fr...@li...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1190 Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg34829.html Signed-off-by: Gert Doering <ge...@gr...> --- M src/openvpn/crypto.c M src/openvpn/crypto.h 2 files changed, 11 insertions(+), 2 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/90/1190/3 diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 8049b3a..e43bc6c 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -97,6 +97,13 @@ /* IV starts with packet id to make the IV unique for packet */ if (use_epoch_data_format) { + /* Note this does not check aead_usage_limit but can overstep it by + * a few extra blocks in one extra write. This is not affecting the + * security margin as these extra blocks are on a completely + * different order of magnitude than the security margin. + * The next iteration/call to epoch_check_send_iterate will + * iterate the epoch + */ if (!packet_id_write_epoch(&opt->packet_id.send, ctx->epoch, &iv_buffer)) { msg(D_CRYPT_ERRORS, "ENCRYPT ERROR: packet ID roll over"); diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h index 72c6821..9424fd7 100644 --- a/src/openvpn/crypto.h +++ b/src/openvpn/crypto.h @@ -298,7 +298,8 @@ /** last epoch_key used for generation of the current send data keys. * As invariant, the epoch of epoch_key_send is always kept >= the epoch of - * epoch_key_recv */ + * key_ctx_bi.decrypt.epoch + */ struct epoch_key epoch_key_send; /** epoch_key used for the highest receive epoch keys */ @@ -309,7 +310,8 @@ /** The limit for AEAD cipher, this is the sum of packets + blocks * that are allowed to be used. Will switch to a new epoch if this - * limit is reached*/ + * limit is reached. + */ uint64_t aead_usage_limit; /** Keeps the future epoch data keys for decryption. The current one -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1190?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: newpatchset Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I34e6b680618a52003d8408852d415c8aeac01feb Gerrit-Change-Number: 1190 Gerrit-PatchSet: 3 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: ordex <an...@ma...> Gerrit-CC: openvpn-devel <ope...@li...> |
|
From: cron2 (C. Review) <ge...@op...> - 2025-12-04 13:24:10
|
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/1190?usp=email ) Change subject: Clarify some code in epoch with better comments ...................................................................... Clarify some code in epoch with better comments Change-Id: I34e6b680618a52003d8408852d415c8aeac01feb Signed-off-by: Arne Schwabe <ar...@rf...> Acked-by: Frank Lichtenheld <fr...@li...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1190 Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg34829.html Signed-off-by: Gert Doering <ge...@gr...> --- M src/openvpn/crypto.c M src/openvpn/crypto.h 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 8049b3a..e43bc6c 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -97,6 +97,13 @@ /* IV starts with packet id to make the IV unique for packet */ if (use_epoch_data_format) { + /* Note this does not check aead_usage_limit but can overstep it by + * a few extra blocks in one extra write. This is not affecting the + * security margin as these extra blocks are on a completely + * different order of magnitude than the security margin. + * The next iteration/call to epoch_check_send_iterate will + * iterate the epoch + */ if (!packet_id_write_epoch(&opt->packet_id.send, ctx->epoch, &iv_buffer)) { msg(D_CRYPT_ERRORS, "ENCRYPT ERROR: packet ID roll over"); diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h index 72c6821..9424fd7 100644 --- a/src/openvpn/crypto.h +++ b/src/openvpn/crypto.h @@ -298,7 +298,8 @@ /** last epoch_key used for generation of the current send data keys. * As invariant, the epoch of epoch_key_send is always kept >= the epoch of - * epoch_key_recv */ + * key_ctx_bi.decrypt.epoch + */ struct epoch_key epoch_key_send; /** epoch_key used for the highest receive epoch keys */ @@ -309,7 +310,8 @@ /** The limit for AEAD cipher, this is the sum of packets + blocks * that are allowed to be used. Will switch to a new epoch if this - * limit is reached*/ + * limit is reached. + */ uint64_t aead_usage_limit; /** Keeps the future epoch data keys for decryption. The current one -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1190?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: merged Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I34e6b680618a52003d8408852d415c8aeac01feb Gerrit-Change-Number: 1190 Gerrit-PatchSet: 3 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: ordex <an...@ma...> Gerrit-CC: openvpn-devel <ope...@li...> |
|
From: Gert D. <ge...@gr...> - 2025-12-04 13:23:56
|
Improved documentation is always welcome :-)
I have taken Antonio's last-minute complaint into account and adjusted
the end-of-comment '*/' bits to live on their own line. I did not touch
other comments in these files, just those that were touched in Arne's
patch.
Since this is just comments, I've only done a sanity check compile to
ensure I didn't fat-finger one of my changes.
Your patch has been applied to the master branch.
commit c282b62f9072b513c0fa8eef49fd8fc7c47afd15
Author: Arne Schwabe
Date: Wed Dec 3 13:57:34 2025 +0100
Clarify some code in epoch with better comments
Signed-off-by: Arne Schwabe <ar...@rf...>
Acked-by: Frank Lichtenheld <fr...@li...>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1190
Message-Id: <202...@gr...>
URL: https://www.mail-archive.com/ope...@li.../msg34829.html
Signed-off-by: Gert Doering <ge...@gr...>
--
kind regards,
Gert Doering
|
|
From: ordex (C. Review) <ge...@op...> - 2025-12-04 12:47:35
|
Attention is currently required from: plaisthos. ordex has posted comments on this change by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/1190?usp=email ) Change subject: Clarify some code in epoch with better comments ...................................................................... Patch Set 2: Code-Review-1 (2 comments) File src/openvpn/crypto.h: http://gerrit.openvpn.net/c/openvpn/+/1190/comment/7157deb0_b889163c?usp=email : PS2, Line 312: * limit is reached. */ shouldn't the closing */ be on a new line like all other multiline comments? File src/openvpn/crypto.c: http://gerrit.openvpn.net/c/openvpn/+/1190/comment/ccf561c6_6036bff1?usp=email : PS2, Line 105: * iterate the epoch */ same here -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1190?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I34e6b680618a52003d8408852d415c8aeac01feb Gerrit-Change-Number: 1190 Gerrit-PatchSet: 2 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: ordex <an...@ma...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Comment-Date: Thu, 04 Dec 2025 12:47:20 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes |
|
From: ordex (C. Review) <ge...@op...> - 2025-12-04 12:46:14
|
Attention is currently required from: cron2, plaisthos. ordex has posted comments on this change by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/1369?usp=email ) Change subject: Fix dco with null cipher being enabled without auth none ...................................................................... Patch Set 2: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1369?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I1104044701145fa37cea857e2e0e0fcac7a2bee3 Gerrit-Change-Number: 1369 Gerrit-PatchSet: 2 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: ordex <an...@ma...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: cron2 <ge...@gr...> Gerrit-Comment-Date: Thu, 04 Dec 2025 12:46:04 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes |
|
From: Gert D. <ge...@gr...> - 2025-12-04 12:42:35
|
From: Arne Schwabe <ar...@rf...> Change-Id: I4f9a6baf2bdb45e5b79bf13c9f6fce3b7a2e982c Signed-off-by: Arne Schwabe <ar...@rf...> Acked-by: Gert Doering <ge...@gr...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1416 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1416 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering <ge...@gr...> diff --git a/README.wolfssl b/README.wolfssl index 3918d0f..3e531ae 100644 --- a/README.wolfssl +++ b/README.wolfssl @@ -28,7 +28,17 @@ * blowfish support (BF-CBC), you must use something like cipher AES-128-CBC to avoid trying to use BF-CBC * Windows CryptoAPI support + * No TLS1.0 PRF support (No compaitbility with OpenVPN 2.5 or older or + other build that do not support TLS EKM) + +************************************************************************* +Newer wolfSSL versions (5.8.2 and newer) are GPLv3 licensed and this license is not +compatible with OpenVPN's GPLv2 license. + +However wolfSSL Inc has granted an exception to combine the wolfSSL library +with OpenVPN and OpenVPN-NL (https://github.com/wolfSSL/wolfssl/blob/master/LICENSING) +with version 5.8.4 and later. ************************************************************************* To build WolfSSL with post-quantum KEMs built in, the following command is used: |
|
From: cron2 (C. Review) <ge...@op...> - 2025-12-04 12:42:19
|
Attention is currently required from: plaisthos. cron2 has posted comments on this change by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/1416?usp=email ) Change subject: Add a section about wolfSSL GPLv3 and point out missing TLS PRF support ...................................................................... Patch Set 1: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1416?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I4f9a6baf2bdb45e5b79bf13c9f6fce3b7a2e982c Gerrit-Change-Number: 1416 Gerrit-PatchSet: 1 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Comment-Date: Thu, 04 Dec 2025 12:42:04 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes |
|
From: plaisthos (C. Review) <ge...@op...> - 2025-12-04 12:37:35
|
plaisthos has uploaded this change for review. ( http://gerrit.openvpn.net/c/openvpn/+/1416?usp=email ) Change subject: Add a section about wolfSSL GPLv3 and point out missing TLS PRF support ...................................................................... Add a section about wolfSSL GPLv3 and point out missing TLS PRF support Change-Id: I4f9a6baf2bdb45e5b79bf13c9f6fce3b7a2e982c Signed-off-by: Arne Schwabe <ar...@rf...> --- M README.wolfssl 1 file changed, 10 insertions(+), 0 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/16/1416/1 diff --git a/README.wolfssl b/README.wolfssl index 3918d0f..3e531ae 100644 --- a/README.wolfssl +++ b/README.wolfssl @@ -28,7 +28,17 @@ * blowfish support (BF-CBC), you must use something like cipher AES-128-CBC to avoid trying to use BF-CBC * Windows CryptoAPI support + * No TLS1.0 PRF support (No compaitbility with OpenVPN 2.5 or older or + other build that do not support TLS EKM) + +************************************************************************* +Newer wolfSSL versions (5.8.2 and newer) are GPLv3 licensed and this license is not +compatible with OpenVPN's GPLv2 license. + +However wolfSSL Inc has granted an exception to combine the wolfSSL library +with OpenVPN and OpenVPN-NL (https://github.com/wolfSSL/wolfssl/blob/master/LICENSING) +with version 5.8.4 and later. ************************************************************************* To build WolfSSL with post-quantum KEMs built in, the following command is used: -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1416?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: newchange Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I4f9a6baf2bdb45e5b79bf13c9f6fce3b7a2e982c Gerrit-Change-Number: 1416 Gerrit-PatchSet: 1 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> |
|
From: Arne S. <ar...@rf...> - 2025-12-04 11:23:06
|
Am 29.11.25 um 19:08 schrieb Simon Matter via Openvpn-devel: >> Hi, >> >>> The OpenVPN community project team is proud to release OpenVPN 2.7_rc3. >>> >>> This is the third release candidate for the feature release 2.7.0. >>> >> >> Can one of the developers please add this little patch? >> >> https://github.com/OpenVPN/openvpn/issues/834 >> >> It would be much appreciated. > > The patch is attached to this email. Would be nice if it was considered. The patch is the same as in github and David already reviewed it positively. Acked-By: Arne Schwabe <ar...@rf...> |
|
From: Simon M. <sim...@in...> - 2025-12-04 10:17:18
|
> Hi, > > On 29/11/2025 19:08, Simon Matter via Openvpn-devel wrote: >>> Can one of the developers please add this little patch? >>> >>> https://github.com/OpenVPN/openvpn/issues/834 >>> >>> It would be much appreciated. >> >> The patch is attached to this email. Would be nice if it was considered. > > Patch sent as attachment are hard to review as we have no way to comment > on the changes. > > Moreover the patch lacks a proper git commit message/title. > Along the commit message you also need to add a proper Signed-off-by line. > > You can read more about our process and patch submission procedure here: > > https://community.openvpn.net/Development/DeveloperDocumentation#community-patches-and-the-acceptance-process-of-these-patches As said in the issue, I'm not a developer and I'm not using Git. This patch is only two lines and I'm sure someone can please create the correct patch. Regards, Simon |
|
From: Antonio Q. <a...@un...> - 2025-12-04 08:53:12
|
Hi, On 29/11/2025 19:08, Simon Matter via Openvpn-devel wrote: >> Can one of the developers please add this little patch? >> >> https://github.com/OpenVPN/openvpn/issues/834 >> >> It would be much appreciated. > > The patch is attached to this email. Would be nice if it was considered. Patch sent as attachment are hard to review as we have no way to comment on the changes. Moreover the patch lacks a proper git commit message/title. Along the commit message you also need to add a proper Signed-off-by line. You can read more about our process and patch submission procedure here: https://community.openvpn.net/Development/DeveloperDocumentation#community-patches-and-the-acceptance-process-of-these-patches Regards, -- Antonio Quartulli |
|
From: Simon M. <sim...@in...> - 2025-12-04 06:33:13
|
Hi, > Hi, > >> The OpenVPN community project team is proud to release OpenVPN 2.7_rc3. >> >> This is the third release candidate for the feature release 2.7.0. >> > > Can one of the developers please add this little patch? > > https://github.com/OpenVPN/openvpn/issues/834 > This patch makes the nice option work when running with systemd. I just want to ask again for it to be included in the 2.7 RC. Thanks, Simon |
|
From: selvanair (C. Review) <ge...@op...> - 2025-12-04 01:44:37
|
Attention is currently required from: plaisthos.
Hello plaisthos,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/1415?usp=email
to review the following change.
Change subject: pull-filter: improve documentation
......................................................................
pull-filter: improve documentation
Pull-filter uses a simple string comparison and could be defeated by
unusual formatting of pushed option strings. Document that this
option is not meant to be used as a security measure.
Reported by: <aa...@sr...>
Change-Id: I2c8d40038e52fbdff1c56f93db1e6a2f9255c59a
Signed-off-by: Selva Nair <sel...@gm...>
---
M doc/man-sections/client-options.rst
1 file changed, 8 insertions(+), 0 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/15/1415/1
diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst
index e8523d9..f3073f8 100644
--- a/doc/man-sections/client-options.rst
+++ b/doc/man-sections/client-options.rst
@@ -345,6 +345,14 @@
next remote succeeds. To silently ignore an option pushed by the server,
use :code:`ignore`.
+ *Warning:* ``pull-filter`` cannot be relied upon as a security measure to
+ protect against offending options pushed by a server. For example, the
+ filter could be defeated by pushing options with extra spaces between
+ tokens or other formatting variations. In such situations, an "allow-list"
+ approach using a generic ``pull-filter ignore`` followed by more specific
+ ``pull-filter accept`` directives should be preferred over a "deny-list"
+ approach.
+
--push-peer-info
Push additional information about the client to server. The following
data is always pushed to the server:
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1415?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newchange
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I2c8d40038e52fbdff1c56f93db1e6a2f9255c59a
Gerrit-Change-Number: 1415
Gerrit-PatchSet: 1
Gerrit-Owner: selvanair <sel...@gm...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
|
154 messages has been excluded from this view by a project administrator.
