On Thu, Feb 8, 2018 at 7:20 AM, David Sommerseth
> On 08/02/18 04:36, Antonio Quartulli wrote:
>> On 08/02/18 04:41, David Sommerseth wrote:
>>> On 07/02/18 21:21, Selva Nair wrote:
>>>> In my view auth-token handling in openvpn.exe is broken at multiple levels:
>>>> Client process:
>>>> (i) it should not remember the token after a reconnect is issued
>>> Agreed. This should trigger retrieving new user input in regards to SIGHUP
>>> least. Not sure yet about SIGUSR1 though. SIGHUP has a cleared semantic
>>> though (hang-up).
>> I discussed this Arne as well as he also had users complaining about this.
>> The conclusion we came was that it may be meaningful, upon reconnection,
>> to try sending the token once (the token might be handled by external
>> server side scripts and might still be alive, so one attempt is worth)
>> and if it fails then we should dump the token, ask the user for the
>> password and reconnect.
But this is the current behaviour, isn't it? So what's the difference?
I think its wrong to reuse auth-token of one "connection" in another
one. A client restart leads to a new connection and that should get a
new token. Else a stolen token could be used in a new TLS session --
may sound far-fetched as one also has to steal the private key, but as
far as a user is concerned token is a place holder for their password
and OTP. It should be reused only for reneg.
I think the correct and easy fix is to wipe the token on the client
when it restarts by SIGUSR1 or SIGHUP. If a server side script
doesn't like it that script is anyway broken.
>> This way we still save all those setups where the token survives fast
>> reconenctions on the server side
> This sounds reasonable to me. But it is crucial that it is a proper
> re-connect - meaning, if UDP the "--explicit-exit-notify" message must be sent
> to the server to close the session on the server side. Otherwise you'll get
> into some odd back-and-forth until the session is fully closed on the server.
Any reason not to make explicit-exit-notify 1 as the default for UDP?
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Openvpn-devel mailing list