| Message ID | 20260315230620.1594780-1-luca.boccassi@gmail.com |
|---|---|
| Headers | show
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7000:2755:b0:83c:d90d:321 with SMTP id j21csp2536721maq;
Sun, 15 Mar 2026 16:06:47 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
AJvYcCVHRtlaqczY9sGfOMdbWUnmKckLIS3cggRmyIaPT4Fu9UbBD2dsHEXWAL7IKV+d0w+VO5Uv2SKeh/k=@openvpn.net
X-Received: by 2002:a05:6808:524c:b0:467:29d2:1ea4 with SMTP id
5614622812f47-467572edbf2mr5422407b6e.35.1773616007764;
Sun, 15 Mar 2026 16:06:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1773616007; cv=none;
d=google.com; s=arc-20240605;
b=iIkUOoar8z31gwPKsPlSU+R/74zt0HVxqSlOQ5uBWcis2M/e48FGWvj4b6mFWQLvUe
xEP/Eg7T9clAY+dX+QUpdMNxCfqoV6TE479YaBY0rykymVekjNhVR+elDr4osPwMZBW7
cLIBEx59GpQ5I8+qinJ54NsgZmAQelH+I56t7PIPjUq76QNNXznYR8rdEtT2d9pWtrZo
9tqltPSK3CC/Eg+0gRwNiStvCpngd/5A0iGTNtt6osRKIoHE1cjg/xm08OOlJFzuJXhI
qsqmHv/xf7KEUvCQgp8Nzgp/xxiLm9bhwYuKISj0yEs9yLYDeCA+cWMj0YwIdv1IG/CW
UIXA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20240605;
h=errors-to:content-transfer-encoding:cc:list-subscribe:list-help
:list-post:list-archive:list-unsubscribe:list-id:precedence:subject
:mime-version:references:in-reply-to:message-id:date:to:from
:dkim-signature:dkim-signature:dkim-signature:dkim-signature;
bh=yTa165Hyd+77S92Nj8oMllM7SSmJYyN0Pzq0qpi5Zyk=;
fh=FRWMOQmE4vArX8xPll5WCJJjcBedLRfud2/cHUpioeU=;
b=WNYo/nas0/PLR3RlF9xbx8xzJ748M8k3Nanzs31qXdnkawjebB9CQ/sJX8Nrdm8LoB
WxDKFwdzifdDBRXeAPbbgle4LWXm6El4CBe3v38fXXb9PUyyuiqi/PaAQ0d1ePniSbQ1
xTpXS5/hVNJGMDMnT3Xu9+vKW6cNwDj36PtktcE1xRbNycM/BOMxBwb5CN96O4Y0vsb8
nOrUEBvopwUlg/2s60alJDYIP+Q5rrmKKmIJntkW0D/Taw7zrryY8kfzow3SIQkH4OLc
xpVt0Ev1cnbL96HpzyIGbf7XjuudFCgGqreUGotnDG6Dl72hlxW0bjlbi+oGgeSJBKSv
4Rbw==;
dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@lists.sourceforge.net header.s=beta
header.b=fpml9jF7;
dkim=neutral (body hash did not verify) header.i=@sourceforge.net
header.s=x header.b=Ktj5SPy+;
dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
header.b="g/4jUouI";
dkim=neutral (body hash did not verify) header.i=@gmail.com
header.s=20230601 header.b="Jd18/hNT";
spf=pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com;
dara=neutral header.i=@openvpn.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
by mx.google.com with ESMTPS id
5614622812f47-467343d691dsi7445958b6e.103.2026.03.15.16.06.47
(version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
Sun, 15 Mar 2026 16:06:47 -0700 (PDT)
Received-SPF: pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
dkim=pass header.i=@lists.sourceforge.net header.s=beta
header.b=fpml9jF7;
dkim=neutral (body hash did not verify) header.i=@sourceforge.net
header.s=x header.b=Ktj5SPy+;
dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
header.b="g/4jUouI";
dkim=neutral (body hash did not verify) header.i=@gmail.com
header.s=20230601 header.b="Jd18/hNT";
spf=pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com;
dara=neutral header.i=@openvpn.net
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:Cc:
List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:
Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender:
Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender
:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner;
bh=yTa165Hyd+77S92Nj8oMllM7SSmJYyN0Pzq0qpi5Zyk=; b=fpml9jF7Nvpb8yrtwkj9+dEMIc
iKqBgvZSDRZXAiAEZStdgBDYuso3MiWUFo9MWRuV9rFxYqvzy4N6m9AZ1BeWbDUG+wUdq9BA8vre6
0pE6xFs3Tyhgav+/Q3LIg1jIrOxfuiJDUr7lQ0IsyyIDJ7BK3Rqj2vEv2427/TbARv/s=;
Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com)
by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95)
(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
id 1w1uXe-0006CW-MB;
Sun, 15 Mar 2026 23:06:38 +0000
Received: from [172.30.29.66] (helo=mx.sourceforge.net)
by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
(envelope-from <luca.boccassi@gmail.com>) id 1w1uXc-0006CO-HF
for openvpn-devel@lists.sourceforge.net;
Sun, 15 Mar 2026 23:06:36 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:
Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=SkZ+72aRkCFRJYiBrXyEp5Z2sLqr8lQ12a/zCH1UIxo=; b=Ktj5SPy+cS5j6rOwp0pOZd2Y5s
giKlMtaKm14aHg8cRXnzdzlU8/muEtyBUoRU5HCIU/b//3NJDIY33BbQhBGCMUsx1aoO7lyWC3OQx
JbMtrGTFv4zCVk94b9T7S/HjP/WCV/vX1/Gbo4oR2pYP6IeBmZHqcbszB08zGEOLjuQ8=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
;
h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID:
Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
List-Post:List-Owner:List-Archive;
bh=SkZ+72aRkCFRJYiBrXyEp5Z2sLqr8lQ12a/zCH1UIxo=; b=g/4jUouIoFPnAXd1CYwgvvAzEg
OYoFQ0+4RzYIJmDQNgcohoQSN4MDCumOA3Ykm0JJrP3P6U6z8D4XTzC24pu8ZwDM9O028sfZE44v0
i4qT3DFSWzzaTlkYHH02dO4IvXV8pn1ULNAsu1UGa6dtm9m2MkF6YnaNO8MuPwuhXGsI=;
Received: from mail-wm1-f42.google.com ([209.85.128.42])
by sfi-mx-2.v28.lw.sourceforge.com with esmtps
(TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95)
id 1w1uXc-00033B-6v for openvpn-devel@lists.sourceforge.net;
Sun, 15 Mar 2026 23:06:36 +0000
Received: by mail-wm1-f42.google.com with SMTP id
5b1f17b1804b1-48541edecf9so42818795e9.1
for <openvpn-devel@lists.sourceforge.net>;
Sun, 15 Mar 2026 16:06:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1773615984; x=1774220784;
darn=lists.sourceforge.net;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:cc:to:from:from:to:cc:subject:date
:message-id:reply-to;
bh=SkZ+72aRkCFRJYiBrXyEp5Z2sLqr8lQ12a/zCH1UIxo=;
b=Jd18/hNTOECSAgQVcfBMCeQppbsmJFlSk0Q2IfmgMfUTpmP9LUOFbOvsqgbHlBX9Zw
mlr2/rHXi3WnBlUuLXGTiikkGV7kxWp2n8WMmd4szEBVxrp3s9hVUv2UpifqP8qE6wpU
oiglOt9APlTRYFMcWFKpAd16F8dcffFxEglrXibCwyotQlNPID82ecspcgkr0fOzVvkb
poqQ4bQ49gIVWnWZjq+4OMVc8dWF/aW4fjmri75TBYEDs3/MKzngWo7RKlmL5E6rmHpx
FEwuUrxW9RpA/YM6Em22ZNraAMwdGmDqi8D7fmPgEd+kGr/YW6X8fSkHNSo+IpcUAsaH
bGBQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20251104; t=1773615984; x=1774220784;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
:to:cc:subject:date:message-id:reply-to;
bh=SkZ+72aRkCFRJYiBrXyEp5Z2sLqr8lQ12a/zCH1UIxo=;
b=Xemk5ThZkbuG7by+uCYV5kIEYhhbd+t78R8BmFJpr7lrvzJaeTXmQxqqaqfX7aPFt1
3laxu8MGyDADHmsuJjdVTTp2JimCrLJYa8zIgRusyIar3Oy+Rw/xpb5jhS64bNdJ+d1H
iD/FLsVE80x/kYTE1OOX1LB9K3GXv38wA+0IZ4URAfIrOsYJUdbJ6oucePcZgux2qvzb
t1zZYgZ3t3bTooe9dQViGbo4XRB68Ryznn82lkbxioHo4eC5jMp2iL1EnfIDucKfDi4u
LQqT9gsGutUk+FFce49jdKTEfYVRYMgNBtLIWYxnbAT6RwSsjDW/Jnye8dVZQMuq9pk9
FEhw==
X-Gm-Message-State: AOJu0YxjIKjl+Pm1oH/5K4aTUxnTLAIluuALbv72bGZCgnfTrISLdB57
iHtiCBLNK+n5yJGu97V/hmXIb+zlYjAKYQNaE0qtMvEa8NOPUT2cbLq26PAkWg==
X-Gm-Gg: ATEYQzyj2v+MXn8Vv5X763+nCgB4l7Hu8+fFZvlV0yMnni7fCd4btny4IVEfPk434Rt
TQXD5AY/XMcXA87wzgXV/qRxgXz1votmYHFzN7AY8r+E1lHrJb9aTw6cwrCH5UNzpECf+DJjrOO
CPun/W1UoJB5j3F1haFonykgQEfcWGYwGy0Un+s49OgORWt1yzdatlE6190l+Rp0TUMLoOhLQIy
k8v30op9K/zjsUGHxa4j3LidVs9qH69+tUmGfqCDl3pGXvyoOWA9hDa9e3cZ0BLDJgSoAMdxrzJ
jzlh4DHOVCP3B8vAe+mYStAj5c35jJhmwNgigswH9lC7M2BHxxJCz5TkwyWQfgFS2/C3KJZk0NR
TZQ1dRzmKNHiENdL6c+cCK4o+2VSEr3Vyd2L2JbLWbY/Y9kH59R/vQp4KGsAbtkH3ZPgIatGCUS
94GPIoSgmaOfuynkwU2l5oS677jCso
X-Received: by 2002:a05:600c:1388:b0:485:3ee1:eba5 with SMTP id
5b1f17b1804b1-4855670297amr186875875e9.27.1773615984176;
Sun, 15 Mar 2026 16:06:24 -0700 (PDT)
Received: from localhost ([2a01:4b00:d036:ae00:21cd:def0:a01d:d2aa])
by smtp.gmail.com with UTF8SMTPSA id
5b1f17b1804b1-48557a7473fsm75285955e9.14.2026.03.15.16.06.22
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Sun, 15 Mar 2026 16:06:23 -0700 (PDT)
From: luca.boccassi@gmail.com
To: openvpn-devel@lists.sourceforge.net
Date: Sun, 15 Mar 2026 23:05:28 +0000
Message-ID: <20260315230620.1594780-1-luca.boccassi@gmail.com>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <20260315184337.1541272-1-luca.boccassi@gmail.com>
References: <20260315184337.1541272-1-luca.boccassi@gmail.com>
MIME-Version: 1.0
X-Spam-Score: -0.2 (/)
X-Spam-Report: Spam detection software,
running on the system "sfi-spamd-2.hosts.colo.sdot.me",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: From: Luca Boccassi When JWT (json web tokens) are used by
a server to authenticate the client, the default TLS channel buffer size
and password length are too small. In my local case connecting to an Azure
VPN server, t [...]
Content analysis details: (-0.2 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
0.1 DKIM_SIGNED Message has a DKIM or DK signature,
not necessarily valid
-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
envelope-from domain
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
domain
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
[luca.boccassi(at)gmail.com]
0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
[209.85.128.42 listed in wl.mailspike.net]
X-Headers-End: 1w1uXc-00033B-6v
Subject: [Openvpn-devel] [PATCH v2 0/3] Two small fixes for auth via tokens
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
<mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive:
<http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
<mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Cc: Luca Boccassi <luca.boccassi@gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1859754646728732765?=
X-GMAIL-MSGID: =?utf-8?q?1859771179217019418?=
|
| Series |
Two small fixes for auth via tokens
|
expand
|
From: Luca Boccassi <luca.boccassi@gmail.com> When JWT (json web tokens) are used by a server to authenticate the client, the default TLS channel buffer size and password length are too small. In my local case connecting to an Azure VPN server, the Entra ID token is ~2100 bytes. With these small changes, it is possible to successfully connect to an Azure VPN endpoint using the OpenVPN 2.7 client, using a dummy username, an Entra token as password and the server-secret from the azvpn XML config that users get as tls-auth key. v2: also use the USER_PASS_LEN macro in the management channel params. Luca Boccassi (3): Increase TLS_CHANNEL_BUF_SIZE from 2048 to 8192 Unconditionally set USER_PASS_LEN to 4096 Ensure the management channel can take passwords up to the max length src/openvpn/common.h | 2 +- src/openvpn/manage.c | 4 ++-- src/openvpn/misc.h | 4 ---- src/openvpn/options.h | 6 +++--- 4 files changed, 6 insertions(+), 10 deletions(-)