| Message ID | 20210917153526.912375-1-tincantech@protonmail.com |
|---|---|
| State | Not Applicable |
| Headers | show |
| Series | [Openvpn-devel] Correct value for --client-disconnect env variable common_name | expand |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, I NAK this for the following reasons. The original problem: "Openvpn does not set common_name for --client-disconnect", for reasons which have not been identified, no longer occurs. The code has changed enough since 2011 that a new problem occurs. The new problem: Openvpn sets common_name to X509-CN for --client-disconnect, after a client has attempted to float, successfully or not. If this patch is applied to current Openvpn then similar behaviour of the original problem occurs. That being, after a client attempts to float then common_name is not set at all. I have also written Easy-TLS to work around this bug, as it stands, and Easy-TLS manages connection tracking 100% successfully. Regards R Sent with ProtonMail Secure Email. ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Friday, September 17th, 2021 at 16:35, <stringvest88@gmail.com> wrote: > From: Richard T Bonhomme tincantech@protonmail.com > > A server configured with --client-disconnect and --username-as-common-name > > will pass the X509-CN not username, after the client has completed a > > renegotiation, to --client-disconnect. > > Explicitly set the environment variable common_name to the current value, > > which will be username in this case, prior to calling --client-disconnect. > > Trac: #160 > > Signed-off-by: Richard T Bonhomme tincantech@protonmail.com > > src/openvpn/multi.c | 4 ++++ > > 1 file changed, 4 insertions(+) > > diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c > > index 22357cfb..c72e8e95 100644 > > --- a/src/openvpn/multi.c > > +++ b/src/openvpn/multi.c > > @@ -557,6 +557,10 @@ setenv_stats(struct context *c) > > static void > > multi_client_disconnect_setenv(struct multi_instance *mi) > > { > > - /* setenv client current common-name */ > > - setenv_str(mi->context.c2.es, "common_name", > > - tls_common_name(mi->context.c2.tls_multi, true)); > > > - /* setenv client real IP address */ > > setenv_trusted(mi->context.c2.es, get_link_socket_info(&mi->context)); > > > 2.25.1 -----BEGIN PGP SIGNATURE----- Version: ProtonMail wsBzBAEBCAAGBQJhYxtZACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ1suAgAkjPdY7Zh0qZpnSjd2nUoBwnsafzflGlzlTjzokRURa5+aAdK zDZvyN3TTayZgVlnFWRf+lvrIQTbYyUkLSRqxWfiDabr6BxIEGeFxqWardLn YAdfvwI8MX17HBZPXI02EJiaCnKWA90uU9OM1DRzswarc8Kakqrs61vIy/iL LhamBby/984WrJhJq1Gv90aM25E6/GLCi9GUAHixhvxDiaeCiWDpO/asB19d TYxJWt1yVxuELAIaot02ESMPEogorK3V9W52oN64xCieoKWYsW51OxgSFMfu 0JIv20gJdPLMM0GOPFOi3ZHVPChiLg+gh7tiQixsi4+LGMkwOT4+hw== =+jcn -----END PGP SIGNATURE-----
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 22357cfb..c72e8e95 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -557,6 +557,10 @@ setenv_stats(struct context *c) static void multi_client_disconnect_setenv(struct multi_instance *mi) { + /* setenv client current common-name */ + setenv_str(mi->context.c2.es, "common_name", + tls_common_name(mi->context.c2.tls_multi, true)); + /* setenv client real IP address */ setenv_trusted(mi->context.c2.es, get_link_socket_info(&mi->context));