A bit more thorough review this time.

On 05/03/18 16:50, Arne Schwabe wrote:
> This patch changes the client behaviour:
> - Treat a failed auth when using an auth-token as a soft error (USR1)
>   and clean the auth-token falling back to the original auth method

Conceptually, this makes sense.

> - Implement a new pushable option forget-token-reconnect that forces
>   to forget an auth-token when reconnecting

This I am not happy about.  We should use an AUTH_FAILED,SESSION:$message
approach instead.  This is what OpenVPN 3 based clients expects, and it should
actually do (read: behave) as the previous point.  OpenVPN 2 does not do that,
today, so it would need to be taught that instead.

> - Sending IV_PROTO=3 to signal that it is safe to send this client an
>   expiring auth-token

And as we shouldn't need forget-token-reconnect, this would also not be needed.

> The behaviour of the server option auth-gen-token:
> - Automatically push forget-token-reconnect to avoid a failed
>   authentication after reconnect
This should not be needed with the AUTH_FAILED,SESSION:$message approach.

> - By default only send auth-token to clients that will gracefully
>   handle auth-token to avoid having clients not able to reconnect

What do you mean with "gracefully handle auth-token"?  By fixing OpenVPN 2's
behaviour (as suggested above), it should behave gracefully by default.

And I'd be willing to /consider/ this fix even to OpenVPN 2.3 code base, for
those who can't upgrade.  But it will be a hard sell, though; OpenVPN 2.4 is
over a year old already.

> - Add a force option to auth-gen-token that allow to ignore if the
>   client can handle auth-tokens

And this should also not be needed.

I'll admit I might see this with a bit too narrow perspective.  But how I have
understood this issue is that OpenVPN 2.x does not behave correctly as it
doesn't understand *why* the authentication failed.  If the client side would
understand why auth failed, then it can query the user for credentials again -
which I believe should resolve the current issues ... Or have I missed 

kind regards,

David Sommerseth
OpenVPN Inc

Attachment: signature.asc
Description: OpenPGP digital signature

Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Openvpn-devel mailing list

Reply via email to