Hi, On Tue, Jan 03, 2017 at 02:15:48PM +0300, ???????? ?????????????? wrote: > please notice, you will not hear "ok, provide patches". it makes me think > that actual reason of not including any obfuscation in core is something > people usually not talking about.
Please do not start any consporation theories on why the developers are
doing something or not doing something.
Most of the time, we do not want to do something if it's going to cause
more maintenance effort (like, in this case, a built-in obfuscation layer
that needs updating all the time) or if it's a high-impact change that
is only beneficial to a few users.
As you rightly notice, we already have a ton of special-case options
and transports and proxies and whatnot, and these all come at a price:
maintenance effort on our side (and the group of people actually working
on *maintaining* this stuff is very small). So we're somewhat reluctant
to add more special-case stuff.
Now, I can see the argument for supporting https proxies, since we
already support http proxies (and CONNECT), and indeed it could help
getting OpenVPN to work in even more annoyingly filtered setups.
The http / http auth / proxy auth side of things is pretty well taken
care for, but it might still not be trivial to get this done - right
now, our event loop is centered around a socket file descriptor,
which can be select()ed, and then just "read()", "write()" (and
that holds true for http proxy and socks proxy sockets, after the
initial handshake).
A https connection in C is not "just a file descriptor", though (unlike,
say, Perl, where you just open a different sort of LWP or IO::Socket
object and Perl hides the differences) - so it would add code right in
the middle of performance- and security-critical code.
It can be *done*, but it needs to be done *right*, by someone who is
familiar with the code (or willing to invest a few weeks to familiarize
himself) and has the time to do so. Then it needs close review by
someone else who also understands the affected code parts.
So - if someone is willing to send a patch, go for it. But that is still
no guarantee that it will get in "just so". You've been warned.
(Isn't it always much easier to state "there must be a hidden reason" if
developers lack enthusiasm for your feature-of-choice? :-))
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
