On Tue, May 4, 2021 at 3:04 PM tincantech via Openvpn-devel
<openvpn-devel@lists.sourceforge.net> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hi,
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Tuesday, 4 May 2021 13:43, tincantech via Openvpn-devel
> <openvpn-devel@lists.sourceforge.net> wrote:
>
> > Hi,
> >
> > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > On Tuesday, 4 May 2021 11:50, Arne Schwabe a...@rfc2549.org wrote:
> >
> > > Am 29.04.21 um 19:15 schrieb Richard T Bonhomme:
> > >
> > > > From: string vest stringves...@gmail.com
> > > > Under Windows, programmatically retrieving the parent process ID of
> > > > the openvpn instance which called a script is practically impossible.
> > > > The only sensible way, currently available, is to write a PID file.
> > > > This patch adds a single integer variable, named daemon_pid, to the
> > > > script environment. The value of which is set to the openvpn process
> > > > ID that called the script.
> > > > Providing this variable via the running openvpn process is more secure,
> > > > faster and far less prone to user-error than using a PID file.
> > >
> > > Could you explain why you need the process ID of the daemon? I am trying
> > > to figure out why that is needed. I also don't understand the secure in
> > > this context. What are you protecting yourself against? You are not
> > > protecting your script being called from a malicious program as that
> > > could lookup the PID of openvpn and just set the daemon_id variable.
> >
> > The reason I am using the process ID is as follows:
> >
> > When --tls-crypt-v2-verify is executed, it saves a file named:
> > $(certificate_serial_number}.${daemon_pid}
> > with data from the TLS-Crypt-V2 key metadata field, which can then
> > be read by the following scripts: --tls-verify and --client-connect.
> >
> > The --tls-verify and --client-connect script have:
> > $(certificate_serial_number} -> ${tls_serial_hex_0} and ${daemon_pid},
> > in their environment and can guarantee to pick-up the correct data file.
> >
> > This is OK for one running server but when there are more than one server
> > instance running, using a PID file becomes messy and cumbersome.
> >
> > The "secure" in this sense is that, having openvpn provide the PID is much
> > more reliable than relying on multiple PID files.
> >
> > Also, while it is "trivial" for *nix to retrieve the Parent PID, under
> > Windows, programmatically doing this is not "trivial" at all:
> >
> > PID:
> > https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/finding-the-process-id
> > PPID:
> > https://stackoverflow.com/questions/7486717/finding-parent-process-id-on-windows
> >
> > Therefore, barring any known security reasons for not providing the openvpn
> > PID
> > to all scripts which it executes, it makes more sense to have openvpn
> > provide
> > daemon_pid. The only script currently missing this data is
> > --tls-crypt-v2-verify
> > (And probably --learn-address but I have not tested that).
> >
>
> Due to the inordinate resistance this patch has received, consider this my
> official
> withdrawal. I hereby NACK.
Resistance is a good thing -- it means people are considering your
patch seriously and are asking questions in earnest.
I've had patches that languished for years and finally merged,
without batting an eye.. Except for an occasional gentle nudge (say
once a year), and some patience.
Selva
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
