Re: [Openvpn-devel] [PATCH v14] Add DNS SRV remote host discovery support

Thu, 01 Dec 2022 05:38:31 -0800 

I have several nitpicks with this patch which I can enumerate later, but there
is at least one critical issue which prevents me from ACKing this:

# src/openvpn/openvpn --client --tls-cert-profile insecure --ca ../ca.crt       
--cert ../t_client.c\
rt --key ../t_client.key    --remote-cert-tls server --comp-lzo --verb 3  --dev 
tun --proto tcp4 --r\
emote-srv lichtenheld.net --writepid 
../tests/t_client-flichtenheld-TUXEDO-InfinityBook-S-15-17-Gen7\
-20221201-141818/openvpn-1.pid --setenv TESTNUM 1 --setenv TOP_BUILDDIR .. 
--script-security 2 --up \
./update_t_client_ips.sh
2022-12-01 14:18:20 WARNING: Compression for receiving enabled. Compression has 
been used in the pas\
t to break encryption. Sent packets are not compressed unless 
"allow-compression yes" is also set.
2022-12-01 14:18:20 Note: --cipher is not set. OpenVPN versions before 2.5 
defaulted to BF-CBC as fa\
llback when cipher negotiation failed in this case. If you need this fallback 
please add '--data-cip\
hers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2022-12-01 14:18:20 OpenVPN 2.6_git [git:master/c98fe8b90271df5c] 
x86_64-pc-linux-gnu [SSL (OpenSSL)\
] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec  1 2022
2022-12-01 14:18:20 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
2022-12-01 14:18:21 Resolved remote service host: 
conn-test-server.openvpn.org:51194,udp4 prio 0 wei\
ght 0
2022-12-01 14:18:21 Resolved remote service host: 
conn-test-server.openvpn.org:51194,tcp4-client pri\
o 0 weight 0
2022-12-01 14:18:21 NOTE: the current --script-security setting may allow this 
configuration to call\
 user-defined scripts
2022-12-01 14:18:21 TCP/UDP: Preserving recently used remote address: 
[AF_INET]199.102.77.82:51194
2022-12-01 14:18:21 Socket Buffers: R=[212992->212992] S=[212992->212992]
2022-12-01 14:18:21 UDPv4 link local: (not bound)
2022-12-01 14:18:21 UDPv4 link remote: [AF_INET]199.102.77.82:51194

As you can see it ignores the "--proto tcp4" if no proto was specified in 
--remote-srv.
This is inconsistent with how --remote works. I don't think this can be the 
desired
behaviour.

Regards,
-- 
  Frank Lichtenheld


_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to