On Thu, Feb 8, 2018 at 7:20 AM, David Sommerseth
<open...@sf.lists.topphemmelig.net> wrote:
> On 08/02/18 04:36, Antonio Quartulli wrote:
>> On 08/02/18 04:41, David Sommerseth wrote:
>>> On 07/02/18 21:21, Selva Nair wrote:
>>>> In my view auth-token handling in openvpn.exe is broken at multiple levels:
>>>> Client process:
>>>> (i) it should not remember the token after a reconnect is issued
>>> Agreed.  This should trigger retrieving new user input in regards to SIGHUP 
>>> at
>>> least.  Not sure yet about SIGUSR1 though.  SIGHUP has a cleared semantic
>>> though (hang-up).
>> I discussed this Arne as well as he also had users complaining about this.
>> The conclusion we came was that it may be meaningful, upon reconnection,
>> to try sending the token once (the token might be handled by external
>> server side scripts and might still be alive, so one attempt is worth)
>> and if it fails then we should dump the token, ask the user for the
>> password and reconnect.

But this is the current behaviour, isn't it? So what's the difference?
I think its wrong to reuse auth-token of one "connection"  in another
one.  A client restart leads to a new connection and that should get a
new token. Else a stolen token could be used in a new TLS session --
may sound far-fetched as one also has to steal the private key, but as
far as a user is concerned token is a place holder for their password
and OTP. It should be reused only for reneg.

I think the correct and easy fix is to wipe the token on the client
when it restarts by SIGUSR1 or SIGHUP.  If a server side script
doesn't like it that script is anyway broken.

>> This way we still save all those setups where the token survives fast
>> reconenctions on the server side
> This sounds reasonable to me.  But it is crucial that it is a proper
> re-connect - meaning, if UDP the "--explicit-exit-notify" message must be sent
> to the server to close the session on the server side.  Otherwise you'll get
> into some odd back-and-forth until the session is fully closed on the server.

Any reason not to make explicit-exit-notify 1 as the default for UDP?


Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Openvpn-devel mailing list

Reply via email to