From: Steffan K. <st...@ka...> - 2016-07-25 18:53:02
|
This allows the ncp-disable and ncp-ciphers options to be used in 'client config dir' files, to disable or change the negotiable crypto parameter settings for specific clients. Signed-off-by: Steffan Karger <st...@ka...> --- src/openvpn/options.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 18af179..79dcb79 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -6666,12 +6666,12 @@ add_option (struct options *options, } else if (streq (p[0], "ncp-ciphers") && p[1] && !p[2]) { - VERIFY_PERMISSION (OPT_P_GENERAL); + VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_INSTANCE); options->ncp_ciphers = p[1]; } else if (streq (p[0], "ncp-disable") && !p[1]) { - VERIFY_PERMISSION (OPT_P_GENERAL); + VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_INSTANCE); options->ncp_enabled = false; } else if (streq (p[0], "prng") && p[1] && !p[3]) -- 2.7.4 |
From: Gert D. <ge...@gr...> - 2016-07-25 19:20:14
|
Your patch has been applied to the master branch. commit 834f602fd069118b5d00a9042c9fdb20930257eb Author: Steffan Karger Date: Mon Jul 25 20:52:46 2016 +0200 Allow ncp-disable and ncp-ciphers to be specified in ccd files Signed-off-by: Steffan Karger <st...@ka...> Acked-by: Gert Doering <ge...@gr...> Message-Id: <146...@ka...> URL: http://article.gmane.org/gmane.network.openvpn.devel/12096 Signed-off-by: Gert Doering <ge...@gr...> -- kind regards, Gert Doering |
From: Gert D. <ge...@gr...> - 2016-07-25 19:47:43
Attachments:
signature.asc
|
Hi, On Mon, Jul 25, 2016 at 09:20:03PM +0200, Gert Doering wrote: > Your patch has been applied to the master branch. > > commit 834f602fd069118b5d00a9042c9fdb20930257eb > Author: Steffan Karger > Date: Mon Jul 25 20:52:46 2016 +0200 > > Allow ncp-disable and ncp-ciphers to be specified in ccd files > > Signed-off-by: Steffan Karger <st...@ka...> > Acked-by: Gert Doering <ge...@gr...> ... this, obviously, means there should have been an "ACK!" in the mail :-) So, yes, ACK! gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany ge...@gr... fax: +49-89-35655025 ge...@ne... |
From: Jan J. K. <ja...@ni...> - 2016-07-26 02:17:43
|
ACK from me, but just to nitpick: we now have an option 'disable-occ' and an option 'ncp-disable' - wouldn't it make more sense to make it "disable-ncp" as well? JJK On 25/07/16 20:52, Steffan Karger wrote: > This allows the ncp-disable and ncp-ciphers options to be used in 'client > config dir' files, to disable or change the negotiable crypto parameter > settings for specific clients. > > Signed-off-by: Steffan Karger <st...@ka...> > --- > src/openvpn/options.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/src/openvpn/options.c b/src/openvpn/options.c > index 18af179..79dcb79 100644 > --- a/src/openvpn/options.c > +++ b/src/openvpn/options.c > @@ -6666,12 +6666,12 @@ add_option (struct options *options, > } > else if (streq (p[0], "ncp-ciphers") && p[1] && !p[2]) > { > - VERIFY_PERMISSION (OPT_P_GENERAL); > + VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_INSTANCE); > options->ncp_ciphers = p[1]; > } > else if (streq (p[0], "ncp-disable") && !p[1]) > { > - VERIFY_PERMISSION (OPT_P_GENERAL); > + VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_INSTANCE); > options->ncp_enabled = false; > } > else if (streq (p[0], "prng") && p[1] && !p[3]) |
From: Steffan K. <ste...@fo...> - 2016-07-26 11:20:58
|
Hi JJK, On 26-07-16 04:17, Jan Just Keijser wrote: > ACK from me, but just to nitpick: > > we now have an option 'disable-occ' and an option 'ncp-disable' - > wouldn't it make more sense to make it "disable-ncp" as well? Yes, I considered this, but I like --ncp-disable more because: * it has some symmetry with --ncp-ciphers * I like the 'hierarchical' --<group>-<property>, like we have now for e.g. the --tls-* options But, if the community likes --disable-ncp better, I'm happy to comply. -Steffan |
From: Jan J. K. <ja...@ni...> - 2016-07-29 15:19:12
|
Hi, On 25/07/16 20:52, Steffan Karger wrote: > This allows the ncp-disable and ncp-ciphers options to be used in 'client > config dir' files, to disable or change the negotiable crypto parameter > settings for specific clients. > > Signed-off-by: Steffan Karger <st...@ka...> > --- > src/openvpn/options.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/src/openvpn/options.c b/src/openvpn/options.c > index 18af179..79dcb79 100644 > --- a/src/openvpn/options.c > +++ b/src/openvpn/options.c > @@ -6666,12 +6666,12 @@ add_option (struct options *options, > } > else if (streq (p[0], "ncp-ciphers") && p[1] && !p[2]) > { > - VERIFY_PERMISSION (OPT_P_GENERAL); > + VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_INSTANCE); > options->ncp_ciphers = p[1]; > } > else if (streq (p[0], "ncp-disable") && !p[1]) > { > - VERIFY_PERMISSION (OPT_P_GENERAL); > + VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_INSTANCE); > options->ncp_enabled = false; > } > else if (streq (p[0], "prng") && p[1] && !p[3]) another remark: making this option CCD-file specific a good idea, but how you do ensure that the server only applies it to this particular client? o->ncp_enabled seems a global at first glance. Consider this scenario: 1) client A connects , for which we want to disable NCP; hence a client-connect script or CCD file with 'ncp-disable' in it; 2) client B connects, no CCD file, it's running v2.4+, so we want NCP. How does the server handle this? Or did I miss the "per-client options" struct? JJK |
From: Steffan K. <st...@ka...> - 2016-08-02 14:42:29
|
On Fri, Jul 29, 2016 at 5:18 PM, Jan Just Keijser <ja...@ni...> wrote: > another remark: making this option CCD-file specific a good idea, but how > you do ensure that the server only applies it to this particular client? > o->ncp_enabled seems a global at first glance. Consider this scenario: > > 1) client A connects , for which we want to disable NCP; hence a > client-connect script or CCD file with 'ncp-disable' in it; > 2) client B connects, no CCD file, it's running v2.4+, so we want NCP. > > How does the server handle this? Or did I miss the "per-client options" > struct? You've just answered your own question ;) The ccd file parsing operates on mi->context.options, which is a connection-specific options struct (mi = 'multi instance'). See multi_connection_established(). -Steffan |