ovpnmain.cgi: Completely remove compression for RW clients

We will use the "compress migrate" option which disables compression by
default. If a client has been found that wants to use compression, the
server will push "stub-v2" to disable it. If that does not work, the
server might fall back to compression.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 975b7258f305868a7f59fe47c06fd813949840aa..818153b2fbe597eeffadf3681e9171e99cc10c77 100755 (executable)
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -278,9 +278,12 @@ sub writeserverconf {
     if ($sovpnsettings{'TLSAUTH'} eq 'on') {
        print CONF "tls-auth ${General::swroot}/ovpn/certs/ta.key\n";
     }
-    if ($sovpnsettings{DCOMPLZO} eq 'on') {
-        print CONF "comp-lzo\n";
-    }
+
+       # Compression
+       # Use migration to support clients that have compression enabled, but disable
+       # compression for everybody else.
+       print CONF "compress migrate\n";
+
     if ($sovpnsettings{REDIRECT_GW_DEF1} eq 'on') {
         print CONF "push \"redirect-gateway def1\"\n";
     }
@@ -701,7 +704,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
     $vpnsettings{'MAX_CLIENTS'} = $cgiparams{'MAX_CLIENTS'};
     $vpnsettings{'REDIRECT_GW_DEF1'} = $cgiparams{'REDIRECT_GW_DEF1'};
     $vpnsettings{'CLIENT2CLIENT'} = $cgiparams{'CLIENT2CLIENT'};
-    $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'};
     $vpnsettings{'ADDITIONAL_CONFIGS'} = $cgiparams{'ADDITIONAL_CONFIGS'};
     $vpnsettings{'DHCP_DOMAIN'} = $cgiparams{'DHCP_DOMAIN'};
     $vpnsettings{'DHCP_DNS'} = $cgiparams{'DHCP_DNS'};
@@ -2198,9 +2200,6 @@ else
        print CLIENTCONF "tls-auth ta.key\r\n";
        $zip->addFile( "${General::swroot}/ovpn/certs/ta.key", "ta.key")  or die "Can't add file ta.key\n";
     }
-    if ($vpnsettings{DCOMPLZO} eq 'on') {
-        print CLIENTCONF "comp-lzo\r\n";
-    }
     print CLIENTCONF "verb 3\r\n";
        # Check host certificate if X509 is RFC3280 compliant.
        # If not, old --ns-cert-type directive will be used.
@@ -2567,9 +2566,6 @@ ADV_ERROR:
     $checked{'REDIRECT_GW_DEF1'}{'off'} = '';
     $checked{'REDIRECT_GW_DEF1'}{'on'} = '';
     $checked{'REDIRECT_GW_DEF1'}{$cgiparams{'REDIRECT_GW_DEF1'}} = 'CHECKED';
-    $checked{'DCOMPLZO'}{'off'} = '';
-    $checked{'DCOMPLZO'}{'on'} = '';
-    $checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED';
     $checked{'ADDITIONAL_CONFIGS'}{'off'} = '';
     $checked{'ADDITIONAL_CONFIGS'}{'on'} = '';
     $checked{'ADDITIONAL_CONFIGS'}{$cgiparams{'ADDITIONAL_CONFIGS'}} = 'CHECKED';
@@ -2782,11 +2778,6 @@ END
                <td><input type='checkbox' name='REDIRECT_GW_DEF1' $checked{'REDIRECT_GW_DEF1'}{'on'} /></td>
        </tr>
 
-    <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'comp-lzo'}</td>
-        <td><input type='checkbox' name='DCOMPLZO' $checked{'DCOMPLZO'}{'on'} /></td>
-        <td>$Lang::tr{'openvpn default'}: off <font color='red'>($Lang::tr{'attention'} exploitable via Voracle)</font></td>
-    </tr>
-
        <tr>
                <td class='base'>$Lang::tr{'ovpn add conf'}</td>
                <td><input type='checkbox' name='ADDITIONAL_CONFIGS' $checked{'ADDITIONAL_CONFIGS'}{'on'} /></td>