Hi, On Thu, Sep 22, 2016 at 6:04 AM, David Sommerseth <dav...@openvpn.net> wrote:
> If running an OpenVPN client with --enable-pkcs11 and a server without > and having a username and/or password with more than 128 characters, > the authentication will fail as the server truncates the password > to 128 bytes. > > This makes things easier and more predictable. Username/passwords > can be up to 4096 bytes, regardless of the --enable-pkcs11 state. > In spite of this change, in most usage scenarios, username, password and even pkcs11-id are limited to a much smaller length (more like ~256 bytes) for other reasons: The pkcs11-id is the only string that probably needs such a long length, but its limited to ~240 bytes when read from the config file because of max line length of 256 bytes + 1 for NUL (in some code paths 255?). Even if the max line length is increased, the max size of an option parameter is 256 bytes (+ 1 for NUL). The 256 byte limit on parameters in response received from management (pointed out by Jonathan) is also somewhat related to the above: Input from management goes through the same parsing code as the lines read from the config file for handling escapes, embedded whitespace etc. and a limit of 256 bytes per option parameter is imposed Also usernames > 64 bytes will break --username-as-common-name as CN is limited to 64 bytes (could 64 code points, but it seems openvpn interprets that as 64 bytes). So for most practical purposes, pkcs11-id appears to be limited to ~240 bytes characters in the current code. Changing USER_PASS_LEN to, say, 256 may be more sensible. That shouldn't break any existing configs but may break some use cases where a long id is supplied from the command line. Selva
------------------------------------------------------------------------------
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
