Re: [Openvpn-devel] [PATCH v4] Make compression asymmetric by default and add warnings

Thu, 14 May 2020 06:37:04 -0700 

Hi,

> Warning for comp-lzo/compress are not generated in the post option check
> (options_postprocess_mutate) since these warnings should also be shown
> on pushed options. Moving the showing the warning showing for

Typo in the last sentence.

If I want to use compression and specify algorithm, I got confusing warnings:

➜  openvpn git:(master) ✗ sudo src/openvpn/openvpn --config ~/lev.ovpn
--compress lz4-v2 --allow-compression yes
Thu May 14 16:16:26 2020 WARNING:  Compression enabled, Compression
has been used in the past to break encryption. Enabling decompression
of received packet only. Sent packets are not compressed.
Thu May 14 16:16:26 2020 WARNING: Compression enabled, Compression has
beenused in the past to break encryption. Allowing compression allows
attacks that break encryption. Using '--allow-compression yes' is
strongly discouraged for common usage. See --compress in the manual
page for more information
Thu May 14 16:16:26 2020 OpenVPN 2.5_git
[git:master/6001784afd89c4e9+] x86_64-apple-darwin19.4.0 [SSL
(OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on May 14 2020

1) The first warning is wrong, since I explicitly allowed compression.
Also it has unneeded whitespace in the beginning.

2) The second warning is missing whitespace ("beenused").

>           The logic of warnings etc in options.c has not been changed
>           since adding all the code to mutate_options would a lot more
>           and more complicated code and after discussion we decided that
>           it is okay as is.

Cannot we set some bit flags in options processing, like

COMP_WARN_GENERIC  1 << 0 // Compression enabled, Compression has been
used in the past to break encryption.
COMP_WARN_ASYNC  1 << 1 // Enabling decompression of received packet
only. Sent packets are not compressed.
COMP_WARN_ALLOWED_YES  1 << 2 // Using '--allow-compression yes' is
strongly discouraged for common usage. See --compress in the manual
page for more information

and handle them in options postprocessing -  excluding
COMP_ENABLED_WARN_ASYNC if COMP_ENABLED_WARN_YES is set and printing
the message?

-- 
-Lev


_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to