Hi, On Thu, Feb 8, 2018 at 7:20 AM, David Sommerseth <open...@sf.lists.topphemmelig.net> wrote: > On 08/02/18 04:36, Antonio Quartulli wrote: >> >> >> On 08/02/18 04:41, David Sommerseth wrote: >>> On 07/02/18 21:21, Selva Nair wrote: >>> >>>> In my view auth-token handling in openvpn.exe is broken at multiple levels: >>>> >>>> Client process: >>>> (i) it should not remember the token after a reconnect is issued >>> >>> Agreed. This should trigger retrieving new user input in regards to SIGHUP >>> at >>> least. Not sure yet about SIGUSR1 though. SIGHUP has a cleared semantic >>> though (hang-up). >> >> I discussed this Arne as well as he also had users complaining about this. >> >> The conclusion we came was that it may be meaningful, upon reconnection, >> to try sending the token once (the token might be handled by external >> server side scripts and might still be alive, so one attempt is worth) >> and if it fails then we should dump the token, ask the user for the >> password and reconnect.
But this is the current behaviour, isn't it? So what's the difference? I think its wrong to reuse auth-token of one "connection" in another one. A client restart leads to a new connection and that should get a new token. Else a stolen token could be used in a new TLS session -- may sound far-fetched as one also has to steal the private key, but as far as a user is concerned token is a place holder for their password and OTP. It should be reused only for reneg. I think the correct and easy fix is to wipe the token on the client when it restarts by SIGUSR1 or SIGHUP. If a server side script doesn't like it that script is anyway broken. >> >> >> This way we still save all those setups where the token survives fast >> reconenctions on the server side > > This sounds reasonable to me. But it is crucial that it is a proper > re-connect - meaning, if UDP the "--explicit-exit-notify" message must be sent > to the server to close the session on the server side. Otherwise you'll get > into some odd back-and-forth until the session is fully closed on the server. Any reason not to make explicit-exit-notify 1 as the default for UDP? Selva ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
