On 08/02/18 04:36, Antonio Quartulli wrote:
> On 08/02/18 04:41, David Sommerseth wrote:
>> On 07/02/18 21:21, Selva Nair wrote:
>>> In my view auth-token handling in openvpn.exe is broken at multiple levels:
>>> Client process:
>>> (i) it should not remember the token after a reconnect is issued
>> Agreed.  This should trigger retrieving new user input in regards to SIGHUP 
>> at
>> least.  Not sure yet about SIGUSR1 though.  SIGHUP has a cleared semantic
>> though (hang-up).
> I discussed this Arne as well as he also had users complaining about this.
> The conclusion we came was that it may be meaningful, upon reconnection,
> to try sending the token once (the token might be handled by external
> server side scripts and might still be alive, so one attempt is worth)
> and if it fails then we should dump the token, ask the user for the
> password and reconnect.
> This way we still save all those setups where the token survives fast
> reconenctions on the server side

This sounds reasonable to me.  But it is crucial that it is a proper
re-connect - meaning, if UDP the "--explicit-exit-notify" message must be sent
to the server to close the session on the server side.  Otherwise you'll get
into some odd back-and-forth until the session is fully closed on the server.

kind regards,

David Sommerseth
OpenVPN Inc

Attachment: signature.asc
Description: OpenPGP digital signature

Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Openvpn-devel mailing list

Reply via email to