Re: [Openvpn-devel] [PATCH v4] Make compression asymmetric by default and add warnings
Hi, > Is that an "ACKed if Gert changes the text of the message as suggested" > (which is a typo, so okay-ish), Yes, ACKed if the committer (Gert) will change the message. ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v4] Make compression asymmetric by default and add warnings
Hi, On Fri, Jun 26, 2020 at 12:51:34PM +0300, Lev Stipakov wrote: > Semi-acked-by: Lev-Stipakov Is that an "ACKed if Gert changes the text of the message as suggested" (which is a typo, so okay-ish), or "Arne should send a new version"? gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v4] Make compression asymmetric by default and add warnings
Hi, Apologize for delay. I tested with various combinations of flags and code works as expected. Let's reword messages as you proposed: > We reword the message a bit so that two messages are not that bad if both > are shown: > > WARNING: Compression for receiving enabled, Compression > has been used in the past to break encryption. Sent packet are not compress > unless "allow-compression yes" is also set. A small typo: .. Sent packets are not compressed ... > > > WARNING: Compression for sending and receiving enabled, Compression has > been used in the past to break encryption. Allowing compression allows > attacks that break encryption. Using '--allow-compression yes' is > strongly discouraged for common usage. See --compress in the manual > page for more information Semi-acked-by: Lev-Stipakov -- -Lev ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v4] Make compression asymmetric by default and add warnings
> Cannot we set some bit flags in options processing, like > > COMP_WARN_GENERIC 1 << 0 // Compression enabled, Compression has been > used in the past to break encryption. > COMP_WARN_ASYNC 1 << 1 // Enabling decompression of received packet > only. Sent packets are not compressed. > COMP_WARN_ALLOWED_YES 1 << 2 // Using '--allow-compression yes' is > strongly discouraged for common usage. See --compress in the manual > page for more information > > and handle them in options postprocessing - excluding > COMP_ENABLED_WARN_ASYNC if COMP_ENABLED_WARN_YES is set and printing > the message? > Same explaination as last time when Steffan reviewed this patch. The warning should also show up in pushed options. And I don't want to complicate the logic for to avoid an extra warning for a corner case. We reword the message a bit so that two messages are not that bad if both are shown: WARNING: Compression for receiving enabled, Compression has been used in the past to break encryption. Sent packet are not compress unless "allow-compression yes" is also set. WARNING: Compression for sending and receiving enabled, Compression has been used in the past to break encryption. Allowing compression allows attacks that break encryption. Using '--allow-compression yes' is strongly discouraged for common usage. See --compress in the manual page for more information ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v4] Make compression asymmetric by default and add warnings
Hi,
> Warning for comp-lzo/compress are not generated in the post option check
> (options_postprocess_mutate) since these warnings should also be shown
> on pushed options. Moving the showing the warning showing for
Typo in the last sentence.
If I want to use compression and specify algorithm, I got confusing warnings:
➜ openvpn git:(master) ✗ sudo src/openvpn/openvpn --config ~/lev.ovpn
--compress lz4-v2 --allow-compression yes
Thu May 14 16:16:26 2020 WARNING: Compression enabled, Compression
has been used in the past to break encryption. Enabling decompression
of received packet only. Sent packets are not compressed.
Thu May 14 16:16:26 2020 WARNING: Compression enabled, Compression has
beenused in the past to break encryption. Allowing compression allows
attacks that break encryption. Using '--allow-compression yes' is
strongly discouraged for common usage. See --compress in the manual
page for more information
Thu May 14 16:16:26 2020 OpenVPN 2.5_git
[git:master/6001784afd89c4e9+] x86_64-apple-darwin19.4.0 [SSL
(OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on May 14 2020
1) The first warning is wrong, since I explicitly allowed compression.
Also it has unneeded whitespace in the beginning.
2) The second warning is missing whitespace ("beenused").
> The logic of warnings etc in options.c has not been changed
> since adding all the code to mutate_options would a lot more
> and more complicated code and after discussion we decided that
> it is okay as is.
Cannot we set some bit flags in options processing, like
COMP_WARN_GENERIC 1 << 0 // Compression enabled, Compression has been
used in the past to break encryption.
COMP_WARN_ASYNC 1 << 1 // Enabling decompression of received packet
only. Sent packets are not compressed.
COMP_WARN_ALLOWED_YES 1 << 2 // Using '--allow-compression yes' is
strongly discouraged for common usage. See --compress in the manual
page for more information
and handle them in options postprocessing - excluding
COMP_ENABLED_WARN_ASYNC if COMP_ENABLED_WARN_YES is set and printing
the message?
--
-Lev
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
