Re: [Openvpn-users] options error: option 'setenv' cannot be used in this context ([PUSH-OPTIONS])

Mon, 24 Oct 2016 09:22:41 -0700 

Hi,

On Mon, Oct 24, 2016 at 4:38 AM, Jan Just Keijser <janj...@nikhef.nl> wrote:

> On 22/10/16 18:53, Selva Nair wrote:
>
>
> On Fri, Oct 21, 2016 at 10:45 AM, Ralf Hildebrandt <
> ralf.hildebra...@charite.de> wrote:
>
>> #push "register-dns"
>> push "setenv opt register-dns"
>> #push "block-outside-dns"
>> push "setenv opt block-outside-dns"
>>
>> and my linux client reports:
>>
>> Fri Oct 21 14:41 options error: option 'setenv' cannot be used in this
>> context ([PUSH-OPTIONS])
>> Fri Oct 21 14:41 options error: option 'setenv' cannot be used in this
>> context ([PUSH-OPTIONS])
>>
>
> When pushed those options are optional (i.e will be ignored with a warning
> on unsupported platforms), so simple "push register-dns" and "push
> block-outside-dns" should be enough. Use of "setenv opt" in this context is
> for those who want the option in a common config file that may be used in
> different platforms, not for pushing it.
>
> Now, pushing "setenv" was probably allowed in some very early versions but
> not for long time for security reasons (also see setenv-safe in the
> manpage). As for push "setenv opt ..", that also is not currently supported
> though allowing it may not be risky. It seems the manpage is wrong in
> saying setenv is pushable.
>
> Indeed, it was allowed to do "push setenv" in version 2.0/early 2.1
> I'd make a case for allowing a "push setenv opt", however: the whole idea
> behind "setenv opt" is to allow you to set an option that is ignored on
> platforms that do not support it. Granted, this can also be achieved using
> "push-peer-info" and then examine the client-side platform, but that
> requires more work (and a 2.4+ server).
>

While it does look safe to allow "push setenv opt .. ", is it really
useful? All pushed options are optional in the sense that none will cause a
FATAL error, just a warning in the logs. So prepending "setenv opt", if
allowed, would make no real difference, would it?

Selva

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to