From 32b5cb60e354f486c98408e6870af3a9c03ff865 Mon Sep 17 00:00:00 2001 From: David Sommerseth Date: Tue, 11 Apr 2017 00:28:28 +0200 Subject: [PATCH] Make --cipher/--auth none more explicit on the risks The warning provided to --cipher and --auth using the 'none' setting may not have been too clearly understandable to non-developers or people not fully understanding encryption and cryptography. This tries to improve that. While at it, also break up the long source lines. Signed-off-by: David Sommerseth Acked-by: Steffan Karger Message-Id: <20170410222828.23612-1-davids@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14436.html Signed-off-by: David Sommerseth (cherry picked from commit 7a1b6a0dd706a81897457b0456a951c0b30bbcfb) --- src/openvpn/crypto.c | 15 +++++++++++++-- src/openvpn/init.c | 5 ++++- 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 206308aa6..e9d6f03f7 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -455,7 +455,12 @@ init_key_type (struct key_type *kt, const char *ciphername, else { if (warn) - msg (M_WARN, "******* WARNING *******: null cipher specified, no encryption will be used"); + { + msg(M_WARN, "******* WARNING *******: '--cipher none' was specified. " + "This means NO encryption will be performed and tunnelled " + "data WILL be transmitted in clear text over the network! " + "PLEASE DO RECONSIDER THIS SETTING!"); + } } if (authname && authname_defined) { @@ -465,7 +470,13 @@ init_key_type (struct key_type *kt, const char *ciphername, else { if (warn) - msg (M_WARN, "******* WARNING *******: null MAC specified, no authentication will be used"); + { + msg(M_WARN, "******* WARNING *******: '--auth none' was specified. " + "This means no authentication will be performed on received " + "packets, meaning you CANNOT trust that the data received by " + "the remote side have NOT been manipulated. " + "PLEASE DO RECONSIDER THIS SETTING!"); + } } } diff --git a/src/openvpn/init.c b/src/openvpn/init.c index dc6347580..227d2c62a 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2394,7 +2394,10 @@ do_init_crypto_none (const struct context *c) { ASSERT (!c->options.test_crypto); msg (M_WARN, - "******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext"); + "******* WARNING *******: All encryption and authentication features " + "disabled -- All data will be tunnelled as clear text and will not be " + "protected against man-in-the-middle changes. " + "PLEASE DO RECONSIDER THIS CONFIGURATION!"); } #endif -- 2.47.2