[Openvpn-devel] [S] Change in openvpn[master]: NTLM: when NTLMv1 is requested, try NTLMv2 instead
cron2 has submitted this change. (
http://gerrit.openvpn.net/c/openvpn/+/500?usp=email )
Change subject: NTLM: when NTLMv1 is requested, try NTLMv2 instead
..
NTLM: when NTLMv1 is requested, try NTLMv2 instead
Commit 21910ebc2ee8a6138eb2af8d38056d2b94e59f9c removed
support for NTLMv1 authentication. This adjusts the
behavior for existing configurations that specify
"ntlm" keyword.
Do not error out hard, instead just try to upgrade. This
should work fine in many cases and will avoid breaking
user configs unnecessarily on upgrade.
In addition it fixes an issue with the mentioned patch
where "auto" wasn't working correctly for NTLM anymore.
Change-Id: Iec74e88f86cd15328f993b6cdd0317ebda81563c
Signed-off-by: Frank Lichtenheld
Acked-by: Arne Schwabe
Message-Id: <20240118151242.12169-1-g...@greenie.muc.de>
URL:
https://www.mail-archive.com/search?l=mid=20240118151242.12169-1-g...@greenie.muc.de
Signed-off-by: Gert Doering
---
M Changes.rst
M doc/man-sections/proxy-options.rst
M src/openvpn/proxy.c
3 files changed, 18 insertions(+), 7 deletions(-)
diff --git a/Changes.rst b/Changes.rst
index 69c811d..58cb3db 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -12,8 +12,13 @@
``--allow-deprecated-insecure-static-crypto`` but will be removed in
OpenVPN 2.8.
-NTLMv1 support has been removed because it is completely insecure.
-NTLMv2 support is still available, but will removed in a future release.
+NTLMv1 authentication support for HTTP proxies has been removed.
+This is considered an insecure method of authentication that uses
+obsolete crypto algorithms.
+NTLMv2 support is still available, but will be removed in a future
+release.
+When configured to authenticate with NTLMv1 (``ntlm`` keyword in
+``--http-proxy``) OpenVPN will try NTLMv2 instead.
Overview of changes in 2.6
diff --git a/doc/man-sections/proxy-options.rst
b/doc/man-sections/proxy-options.rst
index ad49c60..38c4578 100644
--- a/doc/man-sections/proxy-options.rst
+++ b/doc/man-sections/proxy-options.rst
@@ -48,6 +48,8 @@
Note that support for NTLMv1 proxies was removed with OpenVPN 2.7.
+ :code:`ntlm` now is an alias for :code:`ntlm2`; i.e. OpenVPN will always
+ attempt to use NTLMv2 authentication.
--http-proxy-user-pass userpass
Overwrite the username/password information for ``--http-proxy``. If
specified
diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c
index e081532..2e8d7a8 100644
--- a/src/openvpn/proxy.c
+++ b/src/openvpn/proxy.c
@@ -497,7 +497,7 @@
msg(M_FATAL, "HTTP_PROXY: server not specified");
}
-ASSERT( o->port);
+ASSERT(o->port);
ALLOC_OBJ_CLEAR(p, struct http_proxy_info);
p->options = *o;
@@ -517,7 +517,8 @@
#if NTLM
else if (!strcmp(o->auth_method_string, "ntlm"))
{
-msg(M_FATAL, "ERROR: NTLM v1 support has been removed. For now,
you can use NTLM v2 by selecting ntlm2 but it is deprecated as well.");
+msg(M_WARN, "NTLM v1 authentication has been removed in OpenVPN
2.7. Will try to use NTLM v2 authentication.");
+p->auth_method = HTTP_AUTH_NTLM2;
}
else if (!strcmp(o->auth_method_string, "ntlm2"))
{
@@ -531,7 +532,9 @@
}
}
-/* only basic and NTLM/NTLMv2 authentication supported so far */
+/* When basic or NTLMv2 authentication is requested, get credentials now.
+ * In case of "auto" negotiation credentials will be retrieved later once
+ * we know whether we need any. */
if (p->auth_method == HTTP_AUTH_BASIC || p->auth_method == HTTP_AUTH_NTLM2)
{
get_user_pass_http(p, true);
@@ -644,7 +647,8 @@
/* get user/pass if not previously given */
if (p->auth_method == HTTP_AUTH_BASIC
-|| p->auth_method == HTTP_AUTH_DIGEST)
+|| p->auth_method == HTTP_AUTH_DIGEST
+|| p->auth_method == HTTP_AUTH_NTLM2)
{
get_user_pass_http(p, false);
}
@@ -748,7 +752,7 @@
{
processed = true;
}
-else if ((p->auth_method == HTTP_AUTH_NTLM2) && !processed) /* check
for NTLM */
+else if (p->auth_method == HTTP_AUTH_NTLM2 && !processed) /* check for
NTLM */
{
#if NTLM
/* look for the phase 2 response */
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/500?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Iec74e88f86cd15328f993b6cdd0317ebda81563c
Gerrit-Change-Number: 500
Gerrit-PatchSet: 2
Gerrit-Owner: flichtenheld
Gerrit-Reviewer: plaisthos
Gerrit-CC: openvpn-devel
Gerrit-MessageType: merged
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: NTLM: when NTLMv1 is requested, try NTLMv2 instead
cron2 has uploaded a new patch set (#2) to the change originally created by
flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/500?usp=email )
The following approvals got outdated and were removed:
Code-Review+2 by plaisthos
Change subject: NTLM: when NTLMv1 is requested, try NTLMv2 instead
..
NTLM: when NTLMv1 is requested, try NTLMv2 instead
Commit 21910ebc2ee8a6138eb2af8d38056d2b94e59f9c removed
support for NTLMv1 authentication. This adjusts the
behavior for existing configurations that specify
"ntlm" keyword.
Do not error out hard, instead just try to upgrade. This
should work fine in many cases and will avoid breaking
user configs unnecessarily on upgrade.
In addition it fixes an issue with the mentioned patch
where "auto" wasn't working correctly for NTLM anymore.
Change-Id: Iec74e88f86cd15328f993b6cdd0317ebda81563c
Signed-off-by: Frank Lichtenheld
Acked-by: Arne Schwabe
Message-Id: <20240118151242.12169-1-g...@greenie.muc.de>
URL:
https://www.mail-archive.com/search?l=mid=20240118151242.12169-1-g...@greenie.muc.de
Signed-off-by: Gert Doering
---
M Changes.rst
M doc/man-sections/proxy-options.rst
M src/openvpn/proxy.c
3 files changed, 18 insertions(+), 7 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/00/500/2
diff --git a/Changes.rst b/Changes.rst
index 69c811d..58cb3db 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -12,8 +12,13 @@
``--allow-deprecated-insecure-static-crypto`` but will be removed in
OpenVPN 2.8.
-NTLMv1 support has been removed because it is completely insecure.
-NTLMv2 support is still available, but will removed in a future release.
+NTLMv1 authentication support for HTTP proxies has been removed.
+This is considered an insecure method of authentication that uses
+obsolete crypto algorithms.
+NTLMv2 support is still available, but will be removed in a future
+release.
+When configured to authenticate with NTLMv1 (``ntlm`` keyword in
+``--http-proxy``) OpenVPN will try NTLMv2 instead.
Overview of changes in 2.6
diff --git a/doc/man-sections/proxy-options.rst
b/doc/man-sections/proxy-options.rst
index ad49c60..38c4578 100644
--- a/doc/man-sections/proxy-options.rst
+++ b/doc/man-sections/proxy-options.rst
@@ -48,6 +48,8 @@
Note that support for NTLMv1 proxies was removed with OpenVPN 2.7.
+ :code:`ntlm` now is an alias for :code:`ntlm2`; i.e. OpenVPN will always
+ attempt to use NTLMv2 authentication.
--http-proxy-user-pass userpass
Overwrite the username/password information for ``--http-proxy``. If
specified
diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c
index e081532..2e8d7a8 100644
--- a/src/openvpn/proxy.c
+++ b/src/openvpn/proxy.c
@@ -497,7 +497,7 @@
msg(M_FATAL, "HTTP_PROXY: server not specified");
}
-ASSERT( o->port);
+ASSERT(o->port);
ALLOC_OBJ_CLEAR(p, struct http_proxy_info);
p->options = *o;
@@ -517,7 +517,8 @@
#if NTLM
else if (!strcmp(o->auth_method_string, "ntlm"))
{
-msg(M_FATAL, "ERROR: NTLM v1 support has been removed. For now,
you can use NTLM v2 by selecting ntlm2 but it is deprecated as well.");
+msg(M_WARN, "NTLM v1 authentication has been removed in OpenVPN
2.7. Will try to use NTLM v2 authentication.");
+p->auth_method = HTTP_AUTH_NTLM2;
}
else if (!strcmp(o->auth_method_string, "ntlm2"))
{
@@ -531,7 +532,9 @@
}
}
-/* only basic and NTLM/NTLMv2 authentication supported so far */
+/* When basic or NTLMv2 authentication is requested, get credentials now.
+ * In case of "auto" negotiation credentials will be retrieved later once
+ * we know whether we need any. */
if (p->auth_method == HTTP_AUTH_BASIC || p->auth_method == HTTP_AUTH_NTLM2)
{
get_user_pass_http(p, true);
@@ -644,7 +647,8 @@
/* get user/pass if not previously given */
if (p->auth_method == HTTP_AUTH_BASIC
-|| p->auth_method == HTTP_AUTH_DIGEST)
+|| p->auth_method == HTTP_AUTH_DIGEST
+|| p->auth_method == HTTP_AUTH_NTLM2)
{
get_user_pass_http(p, false);
}
@@ -748,7 +752,7 @@
{
processed = true;
}
-else if ((p->auth_method == HTTP_AUTH_NTLM2) && !processed) /* check
for NTLM */
+else if (p->auth_method == HTTP_AUTH_NTLM2 && !processed) /* check for
NTLM */
{
#if NTLM
/* look for the phase 2 response */
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/500?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Iec74e88f86cd15328f993b6cdd0317ebda81563c
Gerrit-Change-Number: 500
Gerrit-PatchSet: 2
Gerrit-Owner: flichtenheld
Gerrit-Reviewer: plaisthos
Gerrit-CC: openvpn-devel
Gerrit-MessageType: newpatchset
[Openvpn-devel] [S] Change in openvpn[master]: NTLM: when NTLMv1 is requested, try NTLMv2 instead
Attention is currently required from: flichtenheld. plaisthos has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/500?usp=email ) Change subject: NTLM: when NTLMv1 is requested, try NTLMv2 instead .. Patch Set 1: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/500?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Iec74e88f86cd15328f993b6cdd0317ebda81563c Gerrit-Change-Number: 500 Gerrit-PatchSet: 1 Gerrit-Owner: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Thu, 18 Jan 2024 13:31:06 + Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: NTLM: when NTLMv1 is requested, try NTLMv2 instead
Attention is currently required from: plaisthos.
Hello plaisthos,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/500?usp=email
to review the following change.
Change subject: NTLM: when NTLMv1 is requested, try NTLMv2 instead
..
NTLM: when NTLMv1 is requested, try NTLMv2 instead
Commit 21910ebc2ee8a6138eb2af8d38056d2b94e59f9c removed
support for NTLMv1 authentication. This adjusts the
behavior for existing configurations that specify
"ntlm" keyword.
Do not error out hard, instead just try to upgrade. This
should work fine in many cases and will avoid breaking
user configs unnecessarily on upgrade.
In addition it fixes an issue with the mentioned patch
where "auto" wasn't working correctly for NTLM anymore.
Change-Id: Iec74e88f86cd15328f993b6cdd0317ebda81563c
Signed-off-by: Frank Lichtenheld
---
M Changes.rst
M doc/man-sections/proxy-options.rst
M src/openvpn/proxy.c
3 files changed, 18 insertions(+), 7 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/00/500/1
diff --git a/Changes.rst b/Changes.rst
index 69c811d..58cb3db 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -12,8 +12,13 @@
``--allow-deprecated-insecure-static-crypto`` but will be removed in
OpenVPN 2.8.
-NTLMv1 support has been removed because it is completely insecure.
-NTLMv2 support is still available, but will removed in a future release.
+NTLMv1 authentication support for HTTP proxies has been removed.
+This is considered an insecure method of authentication that uses
+obsolete crypto algorithms.
+NTLMv2 support is still available, but will be removed in a future
+release.
+When configured to authenticate with NTLMv1 (``ntlm`` keyword in
+``--http-proxy``) OpenVPN will try NTLMv2 instead.
Overview of changes in 2.6
diff --git a/doc/man-sections/proxy-options.rst
b/doc/man-sections/proxy-options.rst
index ad49c60..38c4578 100644
--- a/doc/man-sections/proxy-options.rst
+++ b/doc/man-sections/proxy-options.rst
@@ -48,6 +48,8 @@
Note that support for NTLMv1 proxies was removed with OpenVPN 2.7.
+ :code:`ntlm` now is an alias for :code:`ntlm2`; i.e. OpenVPN will always
+ attempt to use NTLMv2 authentication.
--http-proxy-user-pass userpass
Overwrite the username/password information for ``--http-proxy``. If
specified
diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c
index e2324f4..eeb3989 100644
--- a/src/openvpn/proxy.c
+++ b/src/openvpn/proxy.c
@@ -502,7 +502,7 @@
msg(M_FATAL, "HTTP_PROXY: server not specified");
}
-ASSERT( o->port);
+ASSERT(o->port);
ALLOC_OBJ_CLEAR(p, struct http_proxy_info);
p->options = *o;
@@ -522,7 +522,8 @@
#if NTLM
else if (!strcmp(o->auth_method_string, "ntlm"))
{
-msg(M_FATAL, "ERROR: NTLM v1 support has been removed. For now,
you can use NTLM v2 by selecting ntlm2 but it is deprecated as well.");
+msg(M_WARN, "NTLM v1 authentication has been removed in OpenVPN
2.7. Will try to use NTLM v2 authentication.");
+p->auth_method = HTTP_AUTH_NTLM2;
}
else if (!strcmp(o->auth_method_string, "ntlm2"))
{
@@ -536,7 +537,9 @@
}
}
-/* only basic and NTLM/NTLMv2 authentication supported so far */
+/* When basic or NTLMv2 authentication is requested, get credentials now.
+ * In case of "auto" negotiation credentials will be retrieved later once
+ * we know whether we need any. */
if (p->auth_method == HTTP_AUTH_BASIC || p->auth_method == HTTP_AUTH_NTLM2)
{
get_user_pass_http(p, true);
@@ -649,7 +652,8 @@
/* get user/pass if not previously given */
if (p->auth_method == HTTP_AUTH_BASIC
-|| p->auth_method == HTTP_AUTH_DIGEST)
+|| p->auth_method == HTTP_AUTH_DIGEST
+|| p->auth_method == HTTP_AUTH_NTLM2)
{
get_user_pass_http(p, false);
}
@@ -753,7 +757,7 @@
{
processed = true;
}
-else if ((p->auth_method == HTTP_AUTH_NTLM2) && !processed) /* check
for NTLM */
+else if (p->auth_method == HTTP_AUTH_NTLM2 && !processed) /* check for
NTLM */
{
#if NTLM
/* look for the phase 2 response */
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/500?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Iec74e88f86cd15328f993b6cdd0317ebda81563c
Gerrit-Change-Number: 500
Gerrit-PatchSet: 1
Gerrit-Owner: flichtenheld
Gerrit-Reviewer: plaisthos
Gerrit-CC: openvpn-devel
Gerrit-Attention: plaisthos
Gerrit-MessageType: newchange
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
