[Openvpn-devel] [PATCH] Make --cipher/--auth none more explicit on the risks

Mon, 10 Apr 2017 15:31:22 -0700 

The warning provided to --cipher and --auth using the 'none' setting may
not have been too clearly understandable to non-developers or people not
fully understanding encryption and cryptography.  This tries to improve
that.

While at it, also break up the long source lines.

Signed-off-by: David Sommerseth <dav...@openvpn.net>
---
 src/openvpn/crypto.c | 11 +++++++++--
 src/openvpn/init.c   |  5 ++++-
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 909f725..8a5c723 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -784,7 +784,10 @@ init_key_type(struct key_type *kt, const char *ciphername,
     {
         if (warn)
         {
-            msg(M_WARN, "******* WARNING *******: null cipher specified, no 
encryption will be used");
+            msg(M_WARN, "******* WARNING *******: '--cipher none' was 
specified. "
+                "This means NO encryption will be performed and tunnelled "
+                "data WILL be transmitted in clear text over the network! "
+                "PLEASE DO RECONIDER THIS SETTING!");
         }
     }
     if (strcmp(authname, "none") != 0)
@@ -804,7 +807,11 @@ init_key_type(struct key_type *kt, const char *ciphername,
     {
         if (warn)
         {
-            msg(M_WARN, "******* WARNING *******: null MAC specified, no 
authentication will be used");
+            msg(M_WARN, "******* WARNING *******: '--auth none' was specified. 
"
+                "This means no authentication will be performed on received "
+                "packets, meaning you CANNOT trust that the data received by "
+                "the remote side have NOT been manipulated. "
+                "PLEASE DO RECONIDER THIS SETTING!");
         }
     }
 }
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 0b74f25..86882fe 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2745,7 +2745,10 @@ do_init_crypto_none(const struct context *c)
 {
     ASSERT(!c->options.test_crypto);
     msg(M_WARN,
-        "******* WARNING *******: all encryption and authentication features 
disabled -- all data will be tunnelled as cleartext");
+        "******* WARNING *******: All encryption and authentication features "
+        "disabled -- All data will be tunnelled as clear text and will not be "
+        "protected against man-in-the-middle changes. "
+        "PLEASE DO RECONIDER THIS CONFIGURATION!");
 }
 #endif /* ifdef ENABLE_CRYPTO */
 
-- 
2.11.0


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to