This implies that also ``--management-client-pf`` and any other compile
time or run time related option do not exist any longer.
+Option conflict checking is being deprecated and phased out
+ The static option checking (OCC) is no longer useful in typical setups
+ that negotiate most connection parameters. The ``--opt-verify`` and
+ ``--occ-disable`` options are deprecated, and the configure option
+ ``--enable-strict-options`` has been removed. Logging of mismatched
+ options has been moved to debug logging (verb 7).
User-visible Changes
--------------------
test "${enable_small}" = "yes" && AC_DEFINE([ENABLE_SMALL], [1], [Enable smaller executable size])
test "${enable_fragment}" = "yes" && AC_DEFINE([ENABLE_FRAGMENT], [1], [Enable internal fragmentation support])
test "${enable_port_share}" = "yes" && AC_DEFINE([ENABLE_PORT_SHARE], [1], [Enable TCP Server port sharing])
-test "${enable_strict_options}" = "yes" && AC_DEFINE([ENABLE_STRICT_OPTIONS_CHECK], [1], [Enable strict options check between peers])
test "${enable_crypto_ofb_cfb}" = "yes" && AC_DEFINE([ENABLE_OFB_CFB_MODE], [1], [Enable OFB and CFB cipher modes])
if test "${have_export_keying_material}" = "yes"; then
older than version 2.4 to connect.
--disable-occ
- Disable "options consistency check" (OCC).
+ **DEPRECATED** Disable "options consistency check" (OCC) in configurations
+ that do not use TLS.
Don't output a warning message if option inconsistencies are detected
between peers. An example of an option inconsistency would be where one
the kernel routing table.
--opt-verify
- Clients that connect with options that are incompatible with those of the
- server will be disconnected.
+ **DEPRECATED** Clients that connect with options that are incompatible with
+ those of the server will be disconnected.
Options that will be compared for compatibility include ``dev-type``,
``link-mtu``, ``tun-mtu``, ``proto``, ``ifconfig``,
#define D_DCO LOGLEV(3, 0, 0) /* show DCO related messages */
#define D_SHOW_PARMS LOGLEV(4, 50, 0) /* show all parameters on program initiation */
-#define D_SHOW_OCC LOGLEV(4, 51, 0) /* show options compatibility string */
#define D_LOW LOGLEV(4, 52, 0) /* miscellaneous low-frequency debug info */
#define D_DHCP_OPT LOGLEV(4, 53, 0) /* show DHCP options binary string */
#define D_MBUF LOGLEV(4, 54, 0) /* mbuf.[ch] routines */
#define D_CRYPTO_DEBUG LOGLEV(7, 70, M_DEBUG) /* show detailed info from crypto.c routines */
#define D_PID_DEBUG LOGLEV(7, 70, M_DEBUG) /* show packet-id debugging info */
#define D_PUSH_DEBUG LOGLEV(7, 73, M_DEBUG) /* show push/pull debugging info */
+#define D_SHOW_OCC LOGLEV(7, 74, M_DEBUG) /* show options compatibility string */
+
#define D_VLAN_DEBUG LOGLEV(7, 74, M_DEBUG) /* show VLAN tagging/untagging debug info */
to.xmit_hold = true;
}
- to.disable_occ = !options->occ;
-
to.verify_command = options->tls_verify;
to.verify_export_cert = options->tls_export_cert;
to.verify_x509_type = (options->verify_x509_type & 0xff);
"--status file [n] : Write operational status to file every n seconds.\n"
"--status-version [n] : Choose the status file format version number.\n"
" Currently, n can be 1, 2, or 3 (default=1).\n"
- "--disable-occ : Disable options consistency check between peers.\n"
+ "--disable-occ : (DEPRECATED) Disable options consistency check between peers.\n"
#ifdef ENABLE_DEBUG
"--gremlin mask : Special stress testing mode (for debugging only).\n"
#endif
" OTP based two-factor auth mechanisms are in use and\n"
" --reneg-* options are enabled. Optionally a lifetime in seconds\n"
" for generated tokens can be set.\n"
- "--opt-verify : Clients that connect with options that are incompatible\n"
+ "--opt-verify : (DEPRECATED) Clients that connect with options that are incompatible\n"
" with those of the server will be disconnected.\n"
"--auth-user-pass-optional : Allow connections by clients that don't\n"
" specify a username/password.\n"
if (actual_n > 0)
{
actual[actual_n - 1] = 0;
-#ifndef ENABLE_STRICT_OPTIONS_CHECK
if (strncmp(actual, expected, 2))
{
msg(D_SHOW_OCC, "NOTE: Options consistency check may be skewed by version differences");
options_warning_safe_ml(D_SHOW_OCC, actual, expected, actual_n);
}
else
-#endif
- ret = !strcmp(actual, expected);
+ {
+ ret = !strcmp(actual, expected);
+ }
}
gc_free(&gc);
return ret;
void
options_warning_safe(char *actual, const char *expected, size_t actual_n)
{
- options_warning_safe_ml(M_WARN, actual, expected, actual_n);
+ options_warning_safe_ml(D_SHOW_OCC, actual, expected, actual_n);
}
const char *
else if (streq(p[0], "opt-verify") && !p[1])
{
VERIFY_PERMISSION(OPT_P_GENERAL);
+ msg(M_INFO, "DEPRECATION: opt-verify is deprecated and will be removed "
+ "in OpenVPN 2.7");
options->ssl_flags |= SSLF_OPT_VERIFY;
}
else if (streq(p[0], "auth-user-pass-verify") && p[1])
}
/* check options consistency */
- if (!session->opt->disable_occ
- && !options_cmp_equal(options, session->opt->remote_options))
+ if (!options_cmp_equal(options, session->opt->remote_options))
{
const char *remote_options = session->opt->remote_options;
#ifdef USE_COMP
if (multi->opt.comp_options.flags & COMP_F_MIGRATE && multi->remote_usescomp)
{
- msg(D_SHOW_OCC, "Note: 'compress migrate' detected remote peer "
+ msg(D_PUSH, "Note: 'compress migrate' detected remote peer "
"with compression enabled.");
remote_options = options_string_compat_lzo(remote_options, &gc);
}
projects / thirdparty / openvpn.git / commitdiff
