Acked-by: Gert Doering <g...@greenie.muc.de> This patch survived all tests I threw at it (Linux and FreeBSD client and server, with and without DCO, including multiple p2mp clients on the server under test).
The "main" code change (dco_peer_id) is fairly straightforward, if one checks for the right values of "-1". The completely new bit in v3 is "multi_client_setup_dco_initial()", which packs all the "init a new p2mp DCO peer" into a single function, so early-return is possible, and the path "anything DCO fails -> CAS_FAILED -> AUTH_FAILED" is easier to see. We discussed - at breakfast - changes necessary to make the server not abort "if anything DCO fails" (v2 tried to setup a peer with "-1", which failed, and that did not lead to "CAS_FAILED" but to "server aborts"). The code in question is in ssl.c, init_key_contexts(), and it has two M_FATAL conditions - we should see that we can turn this into "kill the client instance, not the server". As discussed, "not being able to set up keys in DCO" is a race with "the kernel might have killed that instance just now, due to TCP RST etc". This is not part of *this* patch yet, but it's not caused by this patch either - so no reason to not progress. Your patch has been applied to the master branch. commit 8d4dbb56e7dda87ef031fdf52c6d87e533250ff3 Author: Arne Schwabe Date: Sun Nov 27 10:07:42 2022 +0100 Use dedicated multi->dco_peer_id for DCO instead of multi->peer_id Signed-off-by: Arne Schwabe <a...@rfc2549.org> Acked-by: Gert Doering <g...@greenie.muc.de> Message-Id: <20221127090742.3487997-1-a...@rfc2549.org> URL: https://www.mail-archive.com/search?l=mid&q=20221127090742.3487997-1-a...@rfc2549.org Signed-off-by: Gert Doering <g...@greenie.muc.de> -- kind regards, Gert Doering _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel