Re: [Openvpn-devel] [PATCH 2/3] Reject unadvertised compression algorithms

2018-06-03 Thread Gert Doering
Hi On Sun, Jun 03, 2018 at 12:48:36PM +0200, Gert Doering wrote: > On Sun, Jun 03, 2018 at 12:11:57PM +0200, Steffan Karger wrote: > > A server should not push us compression algorithms we didn't specify. If > > the server does so anyway, reject the compression algorithm. > > I can see why you

Re: [Openvpn-devel] [PATCH 1/2] make tls-auth a per-connection-block option

2018-06-03 Thread Steffan Karger
Hi, On 02-06-18 05:42, Antonio Quartulli wrote: > Different VPN servers may use different tls-auth keys. For this > reason it is convenient to make tls-auth a per-connection-block > option so that the user is allowed to specify one key per remote. Want! This also helps with tls-auth key

Re: [Openvpn-devel] [PATCH 3/3] Print a --verb 1 warning when a connection uses compression

2018-06-03 Thread Selva Nair
Hi, On Sun, Jun 3, 2018 at 6:11 AM, Steffan Karger wrote: > Can be suppressed by adding a "nowarn" flag to the compress options, for > those that are really sure that compression is fine for their use case. > > Signed-off-by: Steffan Karger > --- > This patch is also meant to discuss how far we

Re: [Openvpn-devel] [PATCH 1/2] make tls-auth a per-connection-block option

2018-06-03 Thread Antonio Quartulli
Hi, On 03/06/18 16:27, Steffan Karger wrote: > Hi, > > On 02-06-18 05:42, Antonio Quartulli wrote: >> Different VPN servers may use different tls-auth keys. For this >> reason it is convenient to make tls-auth a per-connection-block >> option so that the user is allowed to specify one key per

[Openvpn-devel] [PATCH 3/3] Print a --verb 1 warning when a connection uses compression

2018-06-03 Thread Steffan Karger
Can be suppressed by adding a "nowarn" flag to the compress options, for those that are really sure that compression is fine for their use case. Signed-off-by: Steffan Karger --- This patch is also meant to discuss how far we want to go in warning users about using compression. I think this

[Openvpn-devel] [PATCH 2/3] Reject unadvertised compression algorithms

2018-06-03 Thread Steffan Karger
A server should not push us compression algorithms we didn't specify. If the server does so anyway, reject the compression algorithm. This will result in a warning being printed, and a non-working connection to be set up. This is currently our way to "handle push/pull errors", which should

[Openvpn-devel] [PATCH 1/3] man: add security considerations to --compress section

2018-06-03 Thread Steffan Karger
As Ahamed Nafeez reported to the OpenVPN security team, we did not sufficiently inform our users about the risks of combining encryption and compression. This patch adds a "Security Considerations" paragraph to the --compress section of the manpage to point the risks out to our users.

Re: [Openvpn-devel] [PATCH 2/3] Reject unadvertised compression algorithms

2018-06-03 Thread Gert Doering
Hi, On Sun, Jun 03, 2018 at 12:11:57PM +0200, Steffan Karger wrote: > A server should not push us compression algorithms we didn't specify. If > the server does so anyway, reject the compression algorithm. I can see why you do this, but if I understand this right, this will break lots of

[Openvpn-devel] [PATCH applied] Re: man: add security considerations to --compress section

2018-06-03 Thread Gert Doering
This makes sense. Whatever else we do, explaining the *why* parts is helping users make an educated choice. Acked-By: Gert Doering Your patch has been applied to the master and release/2.4 branch. commit a59fd1475089eda4c89942d345070bb942180223 (master) commit

Re: [Openvpn-devel] [PATCH 3/3] Print a --verb 1 warning when a connection uses compression

2018-06-03 Thread Arne Schwabe
Am 03.06.18 um 12:11 schrieb Steffan Karger: > +msg(M_INFO, "WARNING: Compression enabled, might be insure. " > +"See --compress in the man page."); With my client maintainer hat on, this message is too vague. People will ask why compression is insure, because

Re: [Openvpn-devel] [PATCH 1/2] make tls-auth a per-connection-block option

2018-06-03 Thread Antonio Quartulli
Hi all, On 02/06/18 11:42, Antonio Quartulli wrote: > Different VPN servers may use different tls-auth keys. For this > reason it is convenient to make tls-auth a per-connection-block > option so that the user is allowed to specify one key per remote. > > If no tls-auth option is specified in a