OpenVPN/openvpn
1
0
Fork 0
mirror of https://github.com/OpenVPN/openvpn.git synced 2025-05-09 13:41:06 +08:00
Code Issues Packages Projects Releases Wiki Activity

Make --cipher/--auth none more explicit on the risks

Browse Source 
The warning provided to --cipher and --auth using the 'none' setting may
not have been too clearly understandable to non-developers or people not
fully understanding encryption and cryptography.  This tries to improve
that.

While at it, also break up the long source lines.

Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20170410222828.23612-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14436.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit 7a1b6a0dd706a81897457b0456a951c0b30bbcfb)
This commit is contained in:
David Sommerseth 2017-04-11 00:28:28 +02:00
parent 69c4e0640e
commit 32b5cb60e3
No known key found for this signature in database
GPG Key ID: 86CF944C9671FDF2
2 changed files with 17 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/openvpn/crypto.c
View File

@ -455,7 +455,12 @@ init_key_type (struct key_type *kt, const char *ciphername,
else
{
if (warn)
msg (M_WARN, "******* WARNING *******: null cipher specified, no encryption will be used");
{
msg(M_WARN, "******* WARNING *******: '--cipher none' was specified. "
"This means NO encryption will be performed and tunnelled "
"data WILL be transmitted in clear text over the network! "
"PLEASE DO RECONSIDER THIS SETTING!");
}
}
if (authname && authname_defined)
{
@ -465,7 +470,13 @@ init_key_type (struct key_type *kt, const char *ciphername,
else
{
if (warn)
msg (M_WARN, "******* WARNING *******: null MAC specified, no authentication will be used");
{
msg(M_WARN, "******* WARNING *******: '--auth none' was specified. "
"This means no authentication will be performed on received "
"packets, meaning you CANNOT trust that the data received by "
"the remote side have NOT been manipulated. "
"PLEASE DO RECONSIDER THIS SETTING!");
}
}
}

5
src/openvpn/init.c
View File

@ -2394,7 +2394,10 @@ do_init_crypto_none (const struct context *c)
{
ASSERT (!c->options.test_crypto);
msg (M_WARN,
"******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext");
"******* WARNING *******: All encryption and authentication features "
"disabled -- All data will be tunnelled as clear text and will not be "
"protected against man-in-the-middle changes. "
"PLEASE DO RECONSIDER THIS CONFIGURATION!");
}
#endif