Re: [Openvpn-devel] [PATCH 1/2] Send auth-fail messages to clients on renegotiation failures via auth-token or user-pass expiry
Hi, On Thu, Aug 13, 2020 at 4:37 AM Eric Thorpe wrote: > Hi Arne, > > The issue is your state is not accessible from where that boolean needs > to be used unless I am missing something? Please advise if I'm mistaken > or of another route. > I agree with Arne that duplicating a state machine variable is not a good approach. But we have to somehow get the REAUTH (reneg) info in here. This has stalled for too long, so my suggestion would be to make this conditional on MANAGEMNET_DEF_AUTH so that we can then get it from session->opt->mda_context just as we do it when auth is done via the management. In practice, that would cover most builds where this is really useful. In fact, I think we should always enable MANAGEMENT_DEF_AUTH when management is enabled. That also gets rid of a lot of IFDEFs and allow the use of useful bits like CID more widely in the code. I see no compelling reason for such fine-grained build options. A marginal increase in code size is of little consequence all but embedded devices which can continue to cope without this as they do now. Selva ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] tun.c: enable using wintun driver under SYSTEM
No need to rush. I’m happy to wait until Wednesday for beta2. Cheers, Marvin Sent from my iPhone > On Aug 22, 2020, at 12:20 AM, Gert Doering wrote: > > Hi, > >> On Fri, Aug 21, 2020 at 07:37:27PM -0700, Marvin Adeff wrote: >> When will this be available as an installable (beta) msi? > > I'll merge the commit today or tomorrow (sorry for the lag on my side, > was travelling and had only limited access to "Internet and focus"). > > My plan is to do a formal "beta2" tag on Wednesday, but of course > Samuli/Lev could do a new installer ("beta1_1") earlier. > > gert > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh Mistress > > Gert Doering - Munich, Germany g...@greenie.muc.de ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Fix client's poor man NCP fallback
Hi, On 14-08-2020 10:06, Arne Schwabe wrote: > OpenVPN 2.5 clients do not correctly do a fallback to the server server. > This commit fixes that logic and also fixes --data-ciphers-fallback to > be used in situations other than no OCC cipher. > > To reproduce the error use a client with only --data-ciphers set against > a server without NCP. > > OPTIONS ERROR: failed to negotiate cipher with server. > Add the server's cipher ('AES-256-CBC') to --data-ciphers > (currently 'AES-256-CBC') if you want to connect to this server. > > Reported by: Richard Bonhomme > > Signed-off-by: Arne Schwabe > --- > src/openvpn/ssl_ncp.c | 9 + > 1 file changed, 5 insertions(+), 4 deletions(-) > > diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c > index f522b8f0..c9ab85ce 100644 > --- a/src/openvpn/ssl_ncp.c > +++ b/src/openvpn/ssl_ncp.c > @@ -296,13 +296,14 @@ check_pull_client_ncp(struct context *c, const int > found) > } > /* If the server did not push a --cipher, we will switch to the > * remote cipher if it is in our ncp-ciphers list */ > -bool useremotecipher = tls_poor_mans_ncp(&c->options, > - > c->c2.tls_multi->remote_ciphername); > - > +if(tls_poor_mans_ncp(&c->options, c->c2.tls_multi->remote_ciphername)) > +{ > +return true; > +} > > /* We could not figure out the peer's cipher but we have fallback > * enabled */ > -if (!useremotecipher && c->options.enable_ncp_fallback) > +if (!c->c2.tls_multi->remote_ciphername && > c->options.enable_ncp_fallback) > { > return true; > } > This makes sense. Given that the commit message is fixed as suggested by Richard: Acked-by: Steffan Karger -Steffan ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Adds client-auth-pending-extra management functionality.
Am 21.08.20 um 08:24 schrieb Eric Thorpe: > This allows extra INFO_PRE mesasges to be sent to a client during an > authentication stage. This may be required to send additional challenges, > or allow longer messages to be sent by breaking them up and sending in parts. Could you describe for what feature you need this? If we are extending the protocol for some multiline AUTH_PENDING feature, we should document how this works etc... Arne signature.asc Description: OpenPGP digital signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] AUTH_PENDING from client-pending-auth query
Am 21.08.20 um 02:56 schrieb Eric Thorpe: > Hi All, > > Arne might be best to answer this but wasn't sure. I've been testing out > the client-pending-auth/cr-response stuff recently and had a question. > Currently, the first thing that happens from the client-pending-auth > management command is the client is sent an AUTH_PENDING control channel > notification, however this isn't handled, all the client receives is a > log message about an unknown push notification. Is there a plan for this > AUTH_PENDING message to do something in the future, is it for > compatibility for something else or is it simply extraneous and can be > removed? OpenVPN 2.x currently ignores AUTH_PENDING but the OpenVPN 3.x library needs it to enter that state. Arne signature.asc Description: OpenPGP digital signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] tun.c: enable using wintun driver under SYSTEM
Hi, On Fri, Aug 21, 2020 at 07:37:27PM -0700, Marvin Adeff wrote: > When will this be available as an installable (beta) msi? I'll merge the commit today or tomorrow (sorry for the lag on my side, was travelling and had only limited access to "Internet and focus"). My plan is to do a formal "beta2" tag on Wednesday, but of course Samuli/Lev could do a new installer ("beta1_1") earlier. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel