Hi, On Tue, Jul 24, 2018 at 12:02 AM, Selva Nair <selva.n...@gmail.com> wrote: > Hi, > > On Mon, Jul 23, 2018 at 10:58 PM, Jonathan K. Bullard > <jkbull...@gmail.com> wrote: >> I was testing Tunnelblick with Selva's C/R server and config (thanks >> again for that) and there was a problem. Maybe I'm (still) >> misunderstanding something, but a SIGUSR1 restart asks for the normal >> username/password instead of a static C/R. >> >> That is, the first thing after the restart is ">PASSWORD:Need 'Auth' >> username/password" instead of ">PASSWORD:Need 'Auth' username/password >> SC:1,Type something (e.g., hello): ". > > I think that's a side effect of my test config using both static challenge and > dynamic challenge together. Not a realistic use case, I suppose. I did > that to keep > the server side verify simple for a quick validation of patches that > touch user-auth.
OK; makes sense. > But it was probably not a good approach for properly testing what happens on > signals or during TLS renegotiation. I was testing more than the test was designed to do, so that's understandable. > If you wish I can amend my server side verify script so that you can test > static and dynamic challenge each separately. That would be great, but don't do it just for me. If you do it for yourself, let me know, though, and I'll try it. >> Should Tunnelblick save the static challenge info (like it saves the >> dynamic challenge info) and use it again whenever it sees a >> ">PASSWORD:Need 'Auth' username/password"? (Except when there is also >> a pending dynamic challenge, in which case it would use that instead.) (I tried doing that and all worked well, so I was thinking that was it.) > Normally SIGUSR1 restart should re-prompt with the static challenge if in use. OK, thanks. I won't commit the code that saves and reuses the static C/R info. >> Also, there's an oddity (that doesn't cause a problem) in that the >> first thing Tunnelblick sees over the management interface for the >> original connection is "ENTER PASSWORD:SUCCESS: password is correct" >> -- that comes even before ">INFO:OpenVPN Management Interface Version >> 1 -- type 'help' for more info", and long before any username or >> password has been entered. > > The ENTER PASSWORD: is for the management-password, isn't it? Of course it is. Mystery solved, thanks! Best regards, Jon ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
