Acked-by: Gert Doering <>

This patch survived all tests I threw at it (Linux and FreeBSD client
and server, with and without DCO, including multiple p2mp clients on
the server under test).

The "main" code change (dco_peer_id) is fairly straightforward, if
one checks for the right values of "-1".

The completely new bit in v3 is "multi_client_setup_dco_initial()",
which packs all the "init a new p2mp DCO peer" into a single function,
so early-return is possible, and the path "anything DCO fails ->
CAS_FAILED -> AUTH_FAILED" is easier to see.

We discussed - at breakfast - changes necessary to make the server
not abort "if anything DCO fails" (v2 tried to setup a peer with "-1",
which failed, and that did not lead to "CAS_FAILED" but to "server
aborts").  The code in question is in ssl.c, init_key_contexts(), and it
has two M_FATAL conditions - we should see that we can turn this into
"kill the client instance, not the server".  As discussed, "not being
able to set up keys in DCO" is a race with "the kernel might have
killed that instance just now, due to TCP RST etc".

This is not part of *this* patch yet, but it's not caused by this 
patch either - so no reason to not progress.

Your patch has been applied to the master branch.

commit 8d4dbb56e7dda87ef031fdf52c6d87e533250ff3
Author: Arne Schwabe
Date:   Sun Nov 27 10:07:42 2022 +0100

     Use dedicated multi->dco_peer_id for DCO instead of multi->peer_id

     Signed-off-by: Arne Schwabe <>
     Acked-by: Gert Doering <>
     Message-Id: <>
     Signed-off-by: Gert Doering <>

kind regards,

Gert Doering

Openvpn-devel mailing list

Reply via email to