Added additional warnings for:

* --tls-remote -- some people misunderstand the semantics

* --script-security -- warn if script-security will allow user-defined
  scripts to be called, and also warn separately if passwords may be
  passed to scripts via the environment

git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3129 e7ae566f-a301-0410-adde-c780ea21d3b5

diff --git a/init.c b/init.c
index 6f762c9fa85e5e95f99e2203e0249602281e506b..4b84b9e2ed99fa4b548a0673f873d846fd547f81 100644 (file)
--- a/init.c
+++ b/init.c
@@ -1982,6 +1982,8 @@ do_option_warnings (struct context *c)
       && !(o->ns_cert_type & NS_SSL_SERVER)
       && !o->remote_cert_eku)
     msg (M_WARN, "WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.");
+  if (o->tls_remote)
+    msg (M_WARN, "WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).");
 #endif
 #endif
 
@@ -1989,6 +1991,11 @@ do_option_warnings (struct context *c)
   if (o->ce.connect_timeout_defined)
     msg (M_WARN, "NOTE: --connect-timeout option is not supported on this OS");
 #endif
+
+  if (script_security >= SSEC_SCRIPTS)
+    msg (M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
+  if (script_security >= SSEC_PW_ENV)
+    msg (M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
 }
 
 static void