Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support data-ciphers and data-ciphers-fallback options #444

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Support data-ciphers and data-ciphers-fallback options #444

wants to merge 1 commit into from

Conversation

rvm-peercode
Copy link

Pull Request (PR) description

Support data-ciphers and data-ciphers-fallback options for OpenVPN 2.5.

This Pull Request (PR) fixes the following issues: n/a

smortex
smortex reviewed May 22, 2023
View reviewed changes
Copy link
Member

@smortex smortex left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some minor data types issues. I added in-line comments to address them.

I would suggest to stick to String in this PR to match the rest of the module for now, and if you are up to it work on improving the module so that OpenVPN use the default values (i.e. no parameter is output) when no explicit value is provided instead of when a '' is passed in another PR that will go in a new major release.

manifests/client.pp Outdated
@@ -61,6 +63,8 @@
Boolean $pam = false,
String $cipher = 'AES-256-GCM',
String $tls_cipher = 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256',
Optional[String] $data_ciphers = 'AES-256-GCM:AES-128-GCM',
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Optional with a default value cannot be forced to undef. Since we test the value against '', it make sense to only allow String:

Suggested change
Optional[String] $data_ciphers = 'AES-256-GCM:AES-128-GCM',
String $data_ciphers = 'AES-256-GCM:AES-128-GCM',

manifests/client.pp Outdated
@@ -61,6 +63,8 @@
Boolean $pam = false,
String $cipher = 'AES-256-GCM',
String $tls_cipher = 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256',
Optional[String] $data_ciphers = 'AES-256-GCM:AES-128-GCM',
Optional[String] $data_ciphers_fallback = undef,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we test the value against '' bellow, it make sense to only allow String:

Suggested change
Optional[String] $data_ciphers_fallback = undef,
String $data_ciphers_fallback = '',

Admitedly this is inelegant, but it is the may this module currently duplicate all config.

@rvm-peercode
Copy link
Author

I would suggest to stick to String in this PR to match the rest of the module for now

Just a quick question: if the vars are not Optional, how would that work with OpenVPN versions that don't support these yet? I added them as optional so as not to break config for OpenVPN 2.4 and before.

@smortex
Copy link
Member

smortex commented May 25, 2023

An optional parameter with a default value cannot be forced to "back" to undef: it will take the default value:

class foo (
  Optional[String] $x = 'foo',
) {
  warning("x=${x}")
}

class { 'foo':
  x => undef, # This will print "x=foo"
}

If the parameters are new, indeed adding them to the config may cause trouble with older versions. My recommendation then would be make sure these parameters are only output when the user provided a value for them. This would mean defaulting to '' (what the module seems to currently do) or undef (preferred because it is more correct semantically speaking and allow better type checking).

class foo (
  Optional[String[1]] $x = undef,
  String              $y = '',
) {
  # ...
}

and the corresponding template:

<% if $x { %>
x = <%= $x %>
<% } %>
<% if $y != '' { %>
y = <%= $y %>
<% } %>

@rvm-peercode
Support data-ciphers and data-ciphers-fallback options
5fea37d 
These are new in OpenVPN 2.5.
Since they are not supported in OpenVPN 2.4, they aren't produced in the
output unless they are changed from the default.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smortex smortex smortex left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rvm-peercode @smortex