[Openvpn-devel] Correct value for --client-disconnect env variable common_name

Message ID 20210917153526.912375-1-tincantech@protonmail.com
State New
Headers show
Series
  • [Openvpn-devel] Correct value for --client-disconnect env variable common_name
Related show

Commit Message

Richard T Bonhomme Sept. 17, 2021, 3:35 p.m.
From: Richard T Bonhomme <tincantech@protonmail.com>

A server configured with --client-disconnect and --username-as-common-name
will pass the X509-CN not username, after the client has completed a
renegotiation, to --client-disconnect.

Explicitly set the environment variable common_name to the current value,
which will be username in this case, prior to calling --client-disconnect.

Trac: #160

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
---
 src/openvpn/multi.c | 4 ++++
 1 file changed, 4 insertions(+)

Comments

tincantech via Openvpn-devel Oct. 10, 2021, 4:57 p.m. | #1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

I NAK this for the following reasons.

The original problem:
  "Openvpn does not set common_name for --client-disconnect",
  for reasons which have not been identified, no longer occurs.

The code has changed enough since 2011 that a new problem occurs.

The new problem:
  Openvpn sets common_name to X509-CN for --client-disconnect,
  after a client has attempted to float, successfully or not.

If this patch is applied to current Openvpn then similar behaviour
of the original problem occurs.  That being, after a client attempts
to float then common_name is not set at all.

I have also written Easy-TLS to work around this bug, as it stands,
and Easy-TLS manages connection tracking 100% successfully.

Regards
R


Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Friday, September 17th, 2021 at 16:35, <stringvest88@gmail.com> wrote:

> From: Richard T Bonhomme tincantech@protonmail.com
>
> A server configured with --client-disconnect and --username-as-common-name
>
> will pass the X509-CN not username, after the client has completed a
>
> renegotiation, to --client-disconnect.
>
> Explicitly set the environment variable common_name to the current value,
>
> which will be username in this case, prior to calling --client-disconnect.
>
> Trac: #160
>
> Signed-off-by: Richard T Bonhomme tincantech@protonmail.com
>
> src/openvpn/multi.c | 4 ++++
>
> 1 file changed, 4 insertions(+)
>
> diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
>
> index 22357cfb..c72e8e95 100644
>
> --- a/src/openvpn/multi.c
>
> +++ b/src/openvpn/multi.c
>
> @@ -557,6 +557,10 @@ setenv_stats(struct context *c)
>
> static void
>
> multi_client_disconnect_setenv(struct multi_instance *mi)
>
> {
>
> -   /* setenv client current common-name */
>
> -   setenv_str(mi->context.c2.es, "common_name",
>
> -                 tls_common_name(mi->context.c2.tls_multi, true));
>
>
> -   /* setenv client real IP address */
>
>     setenv_trusted(mi->context.c2.es, get_link_socket_info(&mi->context));
>
>
> 2.25.1
-----BEGIN PGP SIGNATURE-----
Version: ProtonMail

wsBzBAEBCAAGBQJhYxtZACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec
9muQuJ1suAgAkjPdY7Zh0qZpnSjd2nUoBwnsafzflGlzlTjzokRURa5+aAdK
zDZvyN3TTayZgVlnFWRf+lvrIQTbYyUkLSRqxWfiDabr6BxIEGeFxqWardLn
YAdfvwI8MX17HBZPXI02EJiaCnKWA90uU9OM1DRzswarc8Kakqrs61vIy/iL
LhamBby/984WrJhJq1Gv90aM25E6/GLCi9GUAHixhvxDiaeCiWDpO/asB19d
TYxJWt1yVxuELAIaot02ESMPEogorK3V9W52oN64xCieoKWYsW51OxgSFMfu
0JIv20gJdPLMM0GOPFOi3ZHVPChiLg+gh7tiQixsi4+LGMkwOT4+hw==
=+jcn
-----END PGP SIGNATURE-----

Patch

diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 22357cfb..c72e8e95 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -557,6 +557,10 @@  setenv_stats(struct context *c)
 static void
 multi_client_disconnect_setenv(struct multi_instance *mi)
 {
+    /* setenv client current common-name */
+    setenv_str(mi->context.c2.es, "common_name",
+               tls_common_name(mi->context.c2.tls_multi, true));
+
     /* setenv client real IP address */
     setenv_trusted(mi->context.c2.es, get_link_socket_info(&mi->context));