> > I see one challenge with this approach, and it is that it locks us to one > specific format for the CR_RESPONSE. I think it would be appropriate to > extend it with a "version" field before {CID}, so we have a chance to extend > the protocol without updating much of the core OpenVPN 2.x code base. For > now, it could be hard coded as version 1. > > So: CLIENT:CR_RESPONSE,{VERSION},{CID},{KID},{response_base64}
But instead of the old method we are not limited to using a fixed field/control command. So while CRV1 must have a version field, CR_RESPONSE just does text responses and nothing more. > I'm also wondering if this would be a reasonable approach to use to implement > GSSAPI authentication support as well; where there is a back-and-forth > handshake happening as well. For anything that needs more than can be encoded with a base64 text, I would rather add a new response type like GSAPPI_AUTH etc. Arne
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel