Re: [Openvpn-devel] [PATCH v4] Make compression asymmetric by default and add warnings
Hi, > Is that an "ACKed if Gert changes the text of the message as suggested" > (which is a typo, so okay-ish), Yes, ACKed if the committer (Gert) will change the message. ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v4] Make compression asymmetric by default and add warnings
Hi, On Fri, Jun 26, 2020 at 12:51:34PM +0300, Lev Stipakov wrote: > Semi-acked-by: Lev-Stipakov Is that an "ACKed if Gert changes the text of the message as suggested" (which is a typo, so okay-ish), or "Arne should send a new version"? gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v4] Make compression asymmetric by default and add warnings
Hi, Apologize for delay. I tested with various combinations of flags and code works as expected. Let's reword messages as you proposed: > We reword the message a bit so that two messages are not that bad if both > are shown: > > WARNING: Compression for receiving enabled, Compression > has been used in the past to break encryption. Sent packet are not compress > unless "allow-compression yes" is also set. A small typo: .. Sent packets are not compressed ... > > > WARNING: Compression for sending and receiving enabled, Compression has > been used in the past to break encryption. Allowing compression allows > attacks that break encryption. Using '--allow-compression yes' is > strongly discouraged for common usage. See --compress in the manual > page for more information Semi-acked-by: Lev-Stipakov -- -Lev ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v4] Make compression asymmetric by default and add warnings
> Cannot we set some bit flags in options processing, like > > COMP_WARN_GENERIC 1 << 0 // Compression enabled, Compression has been > used in the past to break encryption. > COMP_WARN_ASYNC 1 << 1 // Enabling decompression of received packet > only. Sent packets are not compressed. > COMP_WARN_ALLOWED_YES 1 << 2 // Using '--allow-compression yes' is > strongly discouraged for common usage. See --compress in the manual > page for more information > > and handle them in options postprocessing - excluding > COMP_ENABLED_WARN_ASYNC if COMP_ENABLED_WARN_YES is set and printing > the message? > Same explaination as last time when Steffan reviewed this patch. The warning should also show up in pushed options. And I don't want to complicate the logic for to avoid an extra warning for a corner case. We reword the message a bit so that two messages are not that bad if both are shown: WARNING: Compression for receiving enabled, Compression has been used in the past to break encryption. Sent packet are not compress unless "allow-compression yes" is also set. WARNING: Compression for sending and receiving enabled, Compression has been used in the past to break encryption. Allowing compression allows attacks that break encryption. Using '--allow-compression yes' is strongly discouraged for common usage. See --compress in the manual page for more information ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v4] Make compression asymmetric by default and add warnings
Hi, > Warning for comp-lzo/compress are not generated in the post option check > (options_postprocess_mutate) since these warnings should also be shown > on pushed options. Moving the showing the warning showing for Typo in the last sentence. If I want to use compression and specify algorithm, I got confusing warnings: ➜ openvpn git:(master) ✗ sudo src/openvpn/openvpn --config ~/lev.ovpn --compress lz4-v2 --allow-compression yes Thu May 14 16:16:26 2020 WARNING: Compression enabled, Compression has been used in the past to break encryption. Enabling decompression of received packet only. Sent packets are not compressed. Thu May 14 16:16:26 2020 WARNING: Compression enabled, Compression has beenused in the past to break encryption. Allowing compression allows attacks that break encryption. Using '--allow-compression yes' is strongly discouraged for common usage. See --compress in the manual page for more information Thu May 14 16:16:26 2020 OpenVPN 2.5_git [git:master/6001784afd89c4e9+] x86_64-apple-darwin19.4.0 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on May 14 2020 1) The first warning is wrong, since I explicitly allowed compression. Also it has unneeded whitespace in the beginning. 2) The second warning is missing whitespace ("beenused"). > The logic of warnings etc in options.c has not been changed > since adding all the code to mutate_options would a lot more > and more complicated code and after discussion we decided that > it is okay as is. Cannot we set some bit flags in options processing, like COMP_WARN_GENERIC 1 << 0 // Compression enabled, Compression has been used in the past to break encryption. COMP_WARN_ASYNC 1 << 1 // Enabling decompression of received packet only. Sent packets are not compressed. COMP_WARN_ALLOWED_YES 1 << 2 // Using '--allow-compression yes' is strongly discouraged for common usage. See --compress in the manual page for more information and handle them in options postprocessing - excluding COMP_ENABLED_WARN_ASYNC if COMP_ENABLED_WARN_YES is set and printing the message? -- -Lev ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel