Warn that DH config option is only meaningful in a tls-server context

If specified in a tls-client context, don't try to open the file as it's
not used. Worse even, if 'none' was specified to disable explicitly, it
complained that the file 'none' could not be found.

[DS: On-the-fly update - Prefixed the message with 'WARNING: ']

Signed-off-by: Gert van Dijk <gert@gertvandijk.net>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20170827161515.2424-1-gert@gertvandijk.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15332.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit 47a0a80b7718fe88451c82bdfe838e5a6e3c4248)

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 79429d528b5819fc24a6623f156284c9f5bfbfd8..8dee5d13d0a5da9bb9b0d1e54632f3dd0b93c99c 100644 (file)
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -3027,6 +3027,13 @@ options_postprocess_mutate(struct options *o)
             o->dh_file = NULL;
         }
     }
+    else if (o->dh_file)
+    {
+        /* DH file is only meaningful in a tls-server context. */
+        msg(M_WARN, "WARNING: Ignoring option 'dh' in tls-client mode, please only "
+                    "include this in your server configuration");
+        o->dh_file = NULL;
+    }
 
     /* cipher negotiation (NCP) currently assumes --pull or --mode server */
     if (o->ncp_enabled