-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi,
I NAK this for the following reasons.
The original problem:
"Openvpn does not set common_name for --client-disconnect",
for reasons which have not been identified, no longer occurs.
The code has changed enough since 2011 that a new problem occurs.
The new problem:
Openvpn sets common_name to X509-CN for --client-disconnect,
after a client has attempted to float, successfully or not.
If this patch is applied to current Openvpn then similar behaviour
of the original problem occurs. That being, after a client attempts
to float then common_name is not set at all.
I have also written Easy-TLS to work around this bug, as it stands,
and Easy-TLS manages connection tracking 100% successfully.
Regards
R
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Friday, September 17th, 2021 at 16:35, <stringves...@gmail.com> wrote:
> From: Richard T Bonhomme tincant...@protonmail.com
>
> A server configured with --client-disconnect and --username-as-common-name
>
> will pass the X509-CN not username, after the client has completed a
>
> renegotiation, to --client-disconnect.
>
> Explicitly set the environment variable common_name to the current value,
>
> which will be username in this case, prior to calling --client-disconnect.
>
> Trac: #160
>
> Signed-off-by: Richard T Bonhomme tincant...@protonmail.com
>
> src/openvpn/multi.c | 4 ++++
>
> 1 file changed, 4 insertions(+)
>
> diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
>
> index 22357cfb..c72e8e95 100644
>
> --- a/src/openvpn/multi.c
>
> +++ b/src/openvpn/multi.c
>
> @@ -557,6 +557,10 @@ setenv_stats(struct context *c)
>
> static void
>
> multi_client_disconnect_setenv(struct multi_instance *mi)
>
> {
>
> - /* setenv client current common-name */
>
> - setenv_str(mi->context.c2.es, "common_name",
>
> - tls_common_name(mi->context.c2.tls_multi, true));
>
>
> - /* setenv client real IP address */
>
> setenv_trusted(mi->context.c2.es, get_link_socket_info(&mi->context));
>
>
> 2.25.1
-----BEGIN PGP SIGNATURE-----
Version: ProtonMail
wsBzBAEBCAAGBQJhYxtZACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec
9muQuJ1suAgAkjPdY7Zh0qZpnSjd2nUoBwnsafzflGlzlTjzokRURa5+aAdK
zDZvyN3TTayZgVlnFWRf+lvrIQTbYyUkLSRqxWfiDabr6BxIEGeFxqWardLn
YAdfvwI8MX17HBZPXI02EJiaCnKWA90uU9OM1DRzswarc8Kakqrs61vIy/iL
LhamBby/984WrJhJq1Gv90aM25E6/GLCi9GUAHixhvxDiaeCiWDpO/asB19d
TYxJWt1yVxuELAIaot02ESMPEogorK3V9W52oN64xCieoKWYsW51OxgSFMfu
0JIv20gJdPLMM0GOPFOi3ZHVPChiLg+gh7tiQixsi4+LGMkwOT4+hw==
=+jcn
-----END PGP SIGNATURE-----
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
