Hi, On Mon, Dec 21, 2020 at 3:27 PM Arne Schwabe <a...@rfc2549.org> wrote:
> Am 21.12.20 um 20:11 schrieb Gert Doering: > > Hi, > > > > On Mon, Dec 21, 2020 at 06:24:36PM +0000, Greg Cox wrote: > >> My contention is, a VPN client has enough information from its own > certs to > >> know when its certs are expired and thus not going to work (Yes, there's > >> plenty of OTHER reasons a connection can fail, but in a well designed > >> setup, the user's certs will go stale long before the server). It tells > >> you this problem in the logs, which folks never read. > > > > We consciously decided to make this not more prominent (so, warning only, > > not error) because the client's machine's time might be wrong - and > > ultimately it's the server's notion of time that decides if the cert > > is valid or not. So this is a hint, but not a "IT WILL NOT WORK!" hard > > error. > > > >> If the software were > >> to contain a mechanism to make certain failure cases automatically more > >> prominent, particularly for 'simple' users who have GUI clients, it'll > be a > >> big win for supportability on larger installs. > > > > This is indeed getting into philosophy... we do send different types of > > AUTH_FAILED today (like, for token expired). Maybe we could send an > > "AUTH_FAILED,cert expired" and have the client display this? > > > > (I admit that I'm neither an expert on AUTH_FAILED message, nor on > > "what is the client doing on variations of it", nor on "what *should* > > be the expected outcome?". Selva, Arne will know more). > > It is easy to add that message, however the question is if we want to. > Sending different AUTH_FAILED message also leaks information. Especially > with authentication you don't want to give an attacker an idea how they > get before failing the authentication. I.e. if you send User disable, > certificate expired, account not allow to use VPN etc. an attacker gets > information about the account/profile he using to connect. > > So with these AUTH_FAILED codes you have to be very careful not to > accidently leak information. I.e. AUTH_FAILED, cert expired happens only > if user/pass is right/wrong, otherwise you get a normal AUTH_FAILED. > > HOWEVER, on the client side. We can transform a normal AUTH_FAILED into > an AUTH_FAILED, server gave no reason, [client certificate is expired] > or something like that. > We already warn on the client if the certificate has expired and warnings show up in red at least in OpenvPN-GUI. Sure, UI's can add more bold-face warnings and popups showing probable reasons, but better leave the core as is. To chime in with Arne, a client presenting an invalid cert (expired, in CRL or otherwise bogus) has to be treated as rogue and should not be given any additional feedback from the server on the reason for failure. Selva
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
