Hi, This is just a minor issue which has been annoying me a little bit. I've attached a patch which ensures that the --tls-remote semantic warning is only printed once.
However, I wonder how useful that warning really is these days. Do
we really need that warning? The warning comes from this commit [1]:
commit c04bc0223c9b17f203555b933cbeedbf3b343c0e
Author: james <james@e7ae566f-a301-0410-adde-c780ea21d3b5>
List-Post: openvpn-devel@lists.sourceforge.net
Date: Sun Jul 27 18:20:52 2008 +0000
Added additional warnings for:
* --tls-remote -- some people misunderstand the semantics
* --script-security -- warn if script-security will allow user-defined
scripts to be called, and also warn separately if passwords may be
passed to scripts via the environment
It's from 2008. I see that in some cases this warning is needed, but I
also think people need to read the man pages when things doesn't work as
expected. Not that we need to hand-hold people the whole way through.
If we find that all of these warnings are not that useful any more, I'd
rather suggest that we revert the commit above. Otherwise we can also
consider to just remove the --tls-remote warning completely.
Any thoughts?
[1]
<http://openvpn.git.sourceforge.net/git/gitweb.cgi?p=openvpn/openvpn-testing.git;a=commitdiff;
h=c04bc0223c9b17f203555b933cbeedbf3b343c0e>
--
kind regards,
David Sommerseth
From 1d41a081c299b9839796b0c145217b7d7d3064b9 Mon Sep 17 00:00:00 2001
From: David Sommerseth <dav...@redhat.com>
List-Post: openvpn-devel@lists.sourceforge.net
Date: Thu, 14 Feb 2013 11:40:24 +0100
Subject: [PATCH] Only warn about --tls-remote semantic once
Avoid repeating this message over and over again in log files due to
reconnections.
Signed-off-by: David Sommerseth <dav...@redhat.com>
---
src/openvpn/init.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 25d8225..5e6d0bf 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2413,6 +2413,7 @@ static void
do_option_warnings (struct context *c)
{
const struct options *o = &c->options;
+ static int warned_tls_semantic = 0;
if (o->ping_send_timeout && !o->ping_rec_timeout)
msg (M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit");
@@ -2471,8 +2472,10 @@ do_option_warnings (struct context *c)
&& !(o->ns_cert_type & NS_CERT_CHECK_SERVER)
&& !o->remote_cert_eku)
msg (M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
- if (o->tls_remote)
+ if (!warned_tls_semantic && o->tls_remote) {
+ warned_tls_semantic = 1;
msg (M_WARN, "WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).");
+ }
#endif
#endif
--
1.7.10.2
signature.asc
Description: OpenPGP digital signature
