| Message ID | 20260315184337.1541272-1-luca.boccassi@gmail.com |
|---|---|
| Headers | show
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7000:2755:b0:83c:d90d:321 with SMTP id j21csp2448332maq;
Sun, 15 Mar 2026 11:44:01 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
AJvYcCWSkcqb36ufs/LlHJduRDiuRnGJdUto1AVS+QH9midU1SfpRSyl8TOU+MNExiRsA2cesy+6Ufjk4lg=@openvpn.net
X-Received: by 2002:a05:6808:e8b:b0:45d:336:5609 with SMTP id
5614622812f47-467570aaa0emr5720525b6e.20.1773600241277;
Sun, 15 Mar 2026 11:44:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1773600241; cv=none;
d=google.com; s=arc-20240605;
b=iadL9dVt1RqU4PEeyl8Zx6kquU1qaXhF876G2lydtAB+1Nfs7sRghXuVO8LN7siFN+
fHnJAeYHOqYLZI6xsgV6qHy+JAueNKbNKz7DgAEXOHTaDuoUbCQKNphcm0po1CpDVnGO
IG2sGqb+x84TZqy5LcqSR/Jjp7mCE/iWbDYRENNWI/YDA0qeldJX6L9XbVLB42/Pt/pk
tv3BOuJxSwYmAsoSdgwf3+9x/32zi78f4zZiECtUoJLhpb9fmj65iJwgyyPBAy9QZ3Wz
TcyY1NjgjT97w6gz3xhylYNqzji1bhzpPHSf+cBfKzCgygI10CaM/FYDKknrsPWKCP8Y
3GyQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20240605;
h=errors-to:content-transfer-encoding:cc:list-subscribe:list-help
:list-post:list-archive:list-unsubscribe:list-id:precedence:subject
:mime-version:message-id:date:to:from:dkim-signature:dkim-signature
:dkim-signature:dkim-signature;
bh=tXWzu/rRZhDfHq+FvPFbvzGX9iDCE9150AtT9eZIVh8=;
fh=FRWMOQmE4vArX8xPll5WCJJjcBedLRfud2/cHUpioeU=;
b=gX4vBqU7/u4ISUQuI7yUsBLZDFMU02+vjVGp2lAk8hXw2I6KHSZR00sB6KBu7qDiNA
3lyqSt/vfC7YYcTrVjXL1rO316FdXfCZ/Rbk7P9snypG6pX+/0ZUrWwmy3IOY6UOuWkW
HtqfkfszLzkCX4w+WsXJ+1wBEh3/tm8UBBRsDD/JU54OxYsJrvAPiaKeQP41YlQ21H/6
ZU5jan4aFFZV1c5dWpfjV8eO8BjgOPitoZr1w8jBHe2OY97KqCSo/f6kNsDnxGHHGssI
3cdGZffYkcwIDtg0IfZ2eax/ZKZTlYmq2IPrJkhZjyOowisCYKI8R4Hd+fv9vvu5QnB0
pghg==;
dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@lists.sourceforge.net header.s=beta
header.b=CSZoIu9h;
dkim=neutral (body hash did not verify) header.i=@sourceforge.net
header.s=x header.b=KffTZwBw;
dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
header.b=dwgUSMAy;
dkim=neutral (body hash did not verify) header.i=@gmail.com
header.s=20230601 header.b=Tz2thIBw;
spf=pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com;
dara=neutral header.i=@openvpn.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
by mx.google.com with ESMTPS id
5614622812f47-4673411ff5fsi7296602b6e.51.2026.03.15.11.44.00
(version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
Sun, 15 Mar 2026 11:44:01 -0700 (PDT)
Received-SPF: pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
dkim=pass header.i=@lists.sourceforge.net header.s=beta
header.b=CSZoIu9h;
dkim=neutral (body hash did not verify) header.i=@sourceforge.net
header.s=x header.b=KffTZwBw;
dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
header.b=dwgUSMAy;
dkim=neutral (body hash did not verify) header.i=@gmail.com
header.s=20230601 header.b=Tz2thIBw;
spf=pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com;
dara=neutral header.i=@openvpn.net
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:Cc:
List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:
Subject:MIME-Version:Message-ID:Date:To:From:Sender:Reply-To:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:In-Reply-To:References:List-Owner;
bh=tXWzu/rRZhDfHq+FvPFbvzGX9iDCE9150AtT9eZIVh8=; b=CSZoIu9hNY6jR1bctTi+GD3BMO
27eFSJLYbjTLpmSk8SudhGQd51Y2toIksWQkXBj5OgRfOrI+ZaetWtwymE5RKv/MbLQ2GafwOOjtz
VOTv0bufSWTWfylvWbaHVzvGx7QL4591ZoaZa09xS9Ft+sk6WhQsVZrKICoTcpZZnQWM=;
Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com)
by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95)
(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
id 1w1qRN-0002Sr-Vf;
Sun, 15 Mar 2026 18:43:53 +0000
Received: from [172.30.29.66] (helo=mx.sourceforge.net)
by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
(envelope-from <luca.boccassi@gmail.com>) id 1w1qRM-0002Sk-NG
for openvpn-devel@lists.sourceforge.net;
Sun, 15 Mar 2026 18:43:52 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-ID:
Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=MXbIdDzli2TM5cDk3QZFr+Whx0kh4WwVw1kbp4asV+o=; b=KffTZwBwz3LWJbRxAGXvUQBnlg
3XcD7okcj+Nf1XfJEz29JlTVFX2/t5Zqj2urItPGRxXIaCeObEAlRAEeI1xUqlzIyMtYMsDRs7dYn
gQzFB/MFERa55kZOIMlbUUnFT3507totWLtjLuQflpBTYx5AM4kbGr5lhkQcrQH8pgjg=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
;
h=Content-Transfer-Encoding:MIME-Version:Message-ID:Date:Subject:Cc:To:From
:Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date:
Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:
List-Owner:List-Archive; bh=MXbIdDzli2TM5cDk3QZFr+Whx0kh4WwVw1kbp4asV+o=; b=d
wgUSMAyo3wB2vvDd/1weGAn0H5HQStfYZ4deUlGc1SkSRWXS+8o9YumA+Vxy00yZ3IU1D/DB6rK3l
wMA6osI3PUwapD9NmCE5DoqNzoz1aIzJoMmSZM04SW8rXonMHM72nja770t7AgS4NqkEXsvvQqImV
4c20LEf8Er9lXhNc=;
Received: from mail-wr1-f44.google.com ([209.85.221.44])
by sfi-mx-2.v28.lw.sourceforge.com with esmtps
(TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95)
id 1w1qRM-0000Nx-6U for openvpn-devel@lists.sourceforge.net;
Sun, 15 Mar 2026 18:43:52 +0000
Received: by mail-wr1-f44.google.com with SMTP id
ffacd0b85a97d-439b2965d4bso2643873f8f.2
for <openvpn-devel@lists.sourceforge.net>;
Sun, 15 Mar 2026 11:43:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1773600225; x=1774205025;
darn=lists.sourceforge.net;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:from:to:cc:subject:date:message-id:reply-to;
bh=MXbIdDzli2TM5cDk3QZFr+Whx0kh4WwVw1kbp4asV+o=;
b=Tz2thIBwh3bcIP44hfZm2lvg8iFM5bkGSd6JALWMPVko8DOunXooZ1jrvJPXtbI9i5
Dd8yvuJDBR9bpsEO9Jhq+p6wxYZXVD9dibniq+MtUlcg6p1zqpp0v2nd7NMHV0hzOqbP
MKA3Tl/IMKkpW0ecUi7K1MtWMy1ml8aLzChrX87Fyg4QT81r7h0HVB5+e63G8YUGFsYU
mgCgoT0Mbj2QAEP2J8mT4iXv1y5YEAhqQ5IKDd/ci/gjhQjxq3fuTHEDVj7qUW7JWZHn
891ENdotkqyJW01u96YrReHgIrs3GLFiP2FBP9S9Iy8oeP+FHWw9FRJyj/MbsGzlq8+6
sV1w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20251104; t=1773600225; x=1774205025;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
:message-id:reply-to;
bh=MXbIdDzli2TM5cDk3QZFr+Whx0kh4WwVw1kbp4asV+o=;
b=iEQ4k7mbSqNXePNQ4rOan72+sjSIcSW+TS8YpdjU00wLeVYrMF0gi0QSoIZQew7agY
z5Vu6quqEcGDMn7JXQ/nzfTTZRu3/rOTwVePwzCfs1ouJROYz/kSQIJ1uQKQUphn9PKI
DpXYNXeYWUgusCB4CtHCYlU/tLXyquK+ZVvHJt7HhdCRsrTN/uCZWxZG4W7GnkjflNJI
xMB2INz9CvUdtl9nPPBIR3xyRI5+VT3pRuruiosdEVlJIeaF+/Y1dXiGtJN+oJD/6i5I
joCp+P3y0QYixOSPF/eWY5/lECDtXf1cj6ItJfhDMugICS36xZ39frHCK/Sa+pAfBm7i
cQPA==
X-Gm-Message-State: AOJu0YyBR3t5rgAeqjWri5NJyV3/Hn35A9euLjTsv87TeL8nCwBSQo4X
1mi9vLK9nkuzwi6MYPb91bQ7FodlYWQgSpIAmIFDy7JIT7qUEhvatLBF9qVwig==
X-Gm-Gg: ATEYQzzEMsHCIMYl/XrJ7j5HwvgmfX3gfppJnJAD4rChGOCiUxKxnalGYODoiYpv6kO
bj52Msa8AXOjIshID2MEjjePrZV9rtpPx/v6wnODWqahVfav9LHva6IvF7FDpqEcFccWT1M0h3N
7SKuEXHPV1HeOZ4mOKsA6cjTwIJUnvO38XOjmIXf6b+HTTZ8cr9aD26d1S9cBvp664qojzsaClJ
p43+P7TmPsrlok3A+YpzxtOW3C/AaieVn25EvhGLldpEKCejvlQo9tSCyoJPCxtYY+aKQrddnBh
rPZV/KDUzsl+WxrD6A5DJPtI/a3K+chnoouEzKqTCMOT6eGYWE4uI+2HCaeLSnp4IAKcFATcS8Y
cEpvWjZd6eG+aMpsSHh42QXx4qamaCxCegJE96PZmL2ho1UK4CcWM6GDSm1v0MhM6aAKERrtZPd
QRcVlm99pVyFCEFytsQodGAx0ei24u
X-Received: by 2002:a05:6000:400b:b0:439:af96:29e4 with SMTP id
ffacd0b85a97d-43a04dce6bfmr18333991f8f.54.1773600225129;
Sun, 15 Mar 2026 11:43:45 -0700 (PDT)
Received: from localhost ([2a01:4b00:d036:ae00:16d6:15ec:8b51:78c3])
by smtp.gmail.com with UTF8SMTPSA id
ffacd0b85a97d-439fe1a72cdsm37746916f8f.9.2026.03.15.11.43.44
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Sun, 15 Mar 2026 11:43:44 -0700 (PDT)
From: luca.boccassi@gmail.com
To: openvpn-devel@lists.sourceforge.net
Date: Sun, 15 Mar 2026 18:39:54 +0000
Message-ID: <20260315184337.1541272-1-luca.boccassi@gmail.com>
X-Mailer: git-send-email 2.47.3
MIME-Version: 1.0
X-Spam-Score: -0.2 (/)
X-Spam-Report: Spam detection software,
running on the system "sfi-spamd-1.hosts.colo.sdot.me",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: From: Luca Boccassi When JWT (json web tokens) are used by
a server to authenticate the client, the default TLS channel buffer size
and password length are too small. In my local case connecting to an Azure
VPN server, t [...]
Content analysis details: (-0.2 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
0.1 DKIM_SIGNED Message has a DKIM or DK signature,
not necessarily valid
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
domain
-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
envelope-from domain
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
[luca.boccassi(at)gmail.com]
0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
[209.85.221.44 listed in wl.mailspike.net]
X-Headers-End: 1w1qRM-0000Nx-6U
Subject: [Openvpn-devel] [PATCH 0/2] Two small fixes for auth via tokens
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
<mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive:
<http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
<mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Cc: Luca Boccassi <luca.boccassi@gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1859754646728732765?=
X-GMAIL-MSGID: =?utf-8?q?1859754646728732765?=
|
| Series |
Two small fixes for auth via tokens
|
expand
|
From: Luca Boccassi <luca.boccassi@gmail.com> When JWT (json web tokens) are used by a server to authenticate the client, the default TLS channel buffer size and password length are too small. In my local case connecting to an Azure VPN server, the Entra ID token is ~2100 bytes. With these two small changes, it is possible to successfully connect to an Azure VPN endpoint using the OpenVPN 2.7 client, using a dummy username, an Entra token as password and the server-secret from the azvpn XML config that users get as tls-auth key. Luca Boccassi (2): Increase TLS_CHANNEL_BUF_SIZE from 2048 to 8192 Unconditionally set USER_PASS_LEN to 4096 src/openvpn/common.h | 2 +- src/openvpn/misc.h | 4 ---- 2 files changed, 1 insertion(+), 5 deletions(-)