| Message ID | 20201023120259.29783-6-arne@rfc2549.org |
|---|---|
| State | Accepted |
| Headers |
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net> Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.27.255.55]) by backend41.mail.ord1d.rsapps.net with LMTP id 4EFlALnGkl/NMgAAqwncew (envelope-from <openvpn-devel-bounces@lists.sourceforge.net>) for <patchwork@openvpn.net>; Fri, 23 Oct 2020 08:04:09 -0400 Received: from proxy9.mail.iad3a.rsapps.net ([172.27.255.55]) by director12.mail.ord1d.rsapps.net with LMTP id sGUNALnGkl+lJQAAIasKDg (envelope-from <openvpn-devel-bounces@lists.sourceforge.net>) for <patchwork@openvpn.net>; Fri, 23 Oct 2020 08:04:09 -0400 Received: from smtp25.gate.iad3a ([172.27.255.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy9.mail.iad3a.rsapps.net with LMTPS id OIiINLjGkl8TdAAAGuSQww (envelope-from <openvpn-devel-bounces@lists.sourceforge.net>) for <patchwork@openvpn.net>; Fri, 23 Oct 2020 08:04:08 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp25.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: da1d3dec-1527-11eb-85fe-52540086a678-1-1 Received: from [216.105.38.7] ([216.105.38.7:53714] helo=lists.sourceforge.net) by smtp25.gate.iad3a.rsapps.net (envelope-from <openvpn-devel-bounces@lists.sourceforge.net>) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 9E/BE-31503-7B6C29F5; Fri, 23 Oct 2020 08:04:08 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from <openvpn-devel-bounces@lists.sourceforge.net>) id 1kVvnA-0005jL-Df; Fri, 23 Oct 2020 12:03:32 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from <arne@kamera.blinkt.de>) id 1kVvn4-0005hv-32 for openvpn-devel@lists.sourceforge.net; Fri, 23 Oct 2020 12:03:26 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=w5JuXZgs5k5VzvAUAkFw+0J+mExYkQW2adxvjzcHMiQ=; b=U162jnWG74EGhQGNNA8DsPMC7a tYo7coSBM/J6FAAoDTqV37GmliIGX/R1zOGAyXYLaPbo7FOv2l5edV2cNSkJJ9RWSghKGTPksztgT lLj4M902KMYXVjFF3PNeXpdzyLNk6dVbNcaZ3gmK0IzeLnTuPxWEzGynDvuSwyycH9/o=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=w5JuXZgs5k5VzvAUAkFw+0J+mExYkQW2adxvjzcHMiQ=; b=FgmTaxi/3HMEK/LTx9GmNcpiCz pU8UdwIr7TiDvFTM2Am7yyR4lBDo3ddTxxyt78C2h3l8IjZ+9cytamy/wvX0VpTZUETE4wGXZFy7Z 7aw6TNL3eTLg2auAntHF2WnL3ZFPbJXgInAMNIfeeRPIqTZUURv0dTHLfQ9qCV29TNBA=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1kVvms-003qj8-HV for openvpn-devel@lists.sourceforge.net; Fri, 23 Oct 2020 12:03:22 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from <arne@kamera.blinkt.de>) id 1kVvme-000JG0-4s for openvpn-devel@lists.sourceforge.net; Fri, 23 Oct 2020 14:03:00 +0200 Received: (nullmailer pid 29844 invoked by uid 10006); Fri, 23 Oct 2020 12:03:00 -0000 From: Arne Schwabe <arne@rfc2549.org> To: openvpn-devel@lists.sourceforge.net Date: Fri, 23 Oct 2020 14:02:58 +0200 Message-Id: <20201023120259.29783-6-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201023120259.29783-1-arne@rfc2549.org> References: <20201023113244.26295-1-arne@rfc2549.org> <20201023120259.29783-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1kVvms-003qj8-HV Subject: [Openvpn-devel] [PATCH 7/8] Send AUTH_FAILED message to clients on renegotiation failures X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: <openvpn-devel.lists.sourceforge.net> List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>, <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe> List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel> List-Post: <mailto:openvpn-devel@lists.sourceforge.net> List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help> List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>, <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox |
| Series |
[Openvpn-devel] Remove --disable-def-auth configure argument
|
|
Commit Message
Arne Schwabe
Oct. 23, 2020, 1:02 a.m. UTC
This changes the exit in server mode on renegotiation to an exit that
also sends an AUTH_FAILED to the client. Any previously set failed auth
reason is passed to the client.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
src/openvpn/forward.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
Comments
Acked-by: Gert Doering <gert@greenie.muc.de> I actually have a test case for this... - auth-gen-token 600 - reneg-sec 30 - sync plugin-auth-pam then it will happily renegotiate every 30 seconds, and after 10 minutes it will "fail without noticing" - the server logs 2020-11-26 15:10:30 us=755319 cron2-freebsd-tc-amd64/2001:608:0:814::f000:21 --auth-token-gen: auth-token from client expired 2020-11-26 15:10:30 us=755355 cron2-freebsd-tc-amd64/2001:608:0:814::f000:21 TLS: Username/auth-token authentication failed for username 'fbsd-tc-master' (but never tells the client). Eventually the keys time out: 2020-11-26 15:10:50 us=604558 cron2-freebsd-tc-amd64/2001:608:0:814::f000:21 TLS Error: local/remote TLS keys are out of sync: [AF_INET6]2001:608:0:814::f000:21:42838 (received key id: 7, known key ids: [key#0 state=S_ACTIVE auth=KS_AUTH_FALSE id=7 sid=4ead8bbc 11847581] [key#1 state=S_ACTIVE auth=KS_AUTH_TRUE id=6 sid=4ead8bbc 11847581] [key#2 state=S_UNDEF auth=KS_AUTH_FALSE id=0 sid=00000000 00000000]) .. so pings start failing from here. 2020-11-26 15:11:00 us=968564 cron2-freebsd-tc-amd64/2001:608:0:814::f000:21 SIGTERM[soft,auth-control-exit] received, client-instance exiting .. and on the next reneg-interval, the MI is closed. The client runs into *ping* timeout eventually... (but is never told by the server that the server instance went away): 2020-11-26 15:11:00 TLS: soft reset sec=30/30 bytes=7869/-1 pkts=61/0 2020-11-26 15:11:24 [server] Inactivity timeout (--ping-restart), restarting retries after 5s: 2020-11-26 15:11:31 us=7470 2001:608:0:814::f000:21 SENT CONTROL [cron2-freebsd-tc-amd64]: 'AUTH_FAILED,SESSION: token expired' (status=1) here the client *is* told, and re-tries 5 seconds later, with the "non-token" auth: 2020-11-26 15:11:36 us=98591 2001:608:0:814::f000:21 TLS: Username/Password authentication succeeded for username 'fbsd-tc-master' (failure of 51 seconds in here) *With* the patch, there still is silliness involved 2020-11-26 15:42:30 us=587138 cron2-freebsd-tc-amd64/2001:608:0:814::f000:21 --auth-token-gen: auth-token from client expired 2020-11-26 15:42:30 us=587168 cron2-freebsd-tc-amd64/2001:608:0:814::f000:21 TLS: Username/auth-token authentication failed for username 'fbsd-tc-master' 2020-11-26 15:42:30 us=591020 cron2-freebsd-tc-amd64/2001:608:0:814::f000:21 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA 2020-11-26 15:42:45 us=175486 cron2-freebsd-tc-amd64/2001:608:0:814::f000:21 TLS Error: local/remote TLS keys are out of sync: [AF_INET6]2001:608:0:814::f000:21:29307 (received key id: 7, known key ids: [key#0 state=S_ACTIVE auth=KS_AUTH_FALSE id=7 sid=028b5663 63c9dc4d] [key#1 state=S_ACTIVE auth=KS_AUTH_TRUE id=6 sid=028b5663 63c9dc4d] [key#2 state=S_UNDEF auth=KS_AUTH_FALSE id=0 sid=00000000 00000000]) .. and pings fail from 15:42:45 onwards, without telling the client. The improvement bit happens then: 2020-11-26 15:43:00 TLS: soft reset sec=30/30 bytes=7869/-1 pkts=61/0 2020-11-26 15:43:00 AUTH: Received control message: AUTH_FAILED,SESSION: token expired 2020-11-26 15:43:00 Restart pause, 5 second(s) 2020-11-26 15:43:05 [server] Peer Connection Initiated with [AF_INET6]2001:608:0:814::f000:11:51199 So on the next renegotiation the client will receive a proper error, and can reconnect right away. Ping failure time is down from 51s to 23s, so "improvement" :-) Your patch has been applied to the master branch. commit 55d5eaa3e021a21b9537a474c46636d4c2dcdac5 Author: Arne Schwabe Date: Fri Oct 23 14:02:58 2020 +0200 Send AUTH_FAILED message to clients on renegotiation failures Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20201023120259.29783-6-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21222.html Signed-off-by: Gert Doering <gert@greenie.muc.de> -- kind regards, Gert Doering
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 958246c4..67615a6b 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -155,7 +155,14 @@ check_tls(struct context *c) } else if (tmp_status == TLSMP_KILL) { - register_signal(c, SIGTERM, "auth-control-exit"); + if (c->options.mode == MODE_SERVER) + { + send_auth_failed(c, c->c2.tls_multi->client_reason); + } + else + { + register_signal(c, SIGTERM, "auth-control-exit"); + } } interval_future_trigger(&c->c2.tmp_int, wakeup);