| Message ID | 20201023120259.29783-6-arne@rfc2549.org |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [Openvpn-devel] Remove --disable-def-auth configure argument | expand |
Acked-by: Gert Doering <gert@greenie.muc.de> I actually have a test case for this... - auth-gen-token 600 - reneg-sec 30 - sync plugin-auth-pam then it will happily renegotiate every 30 seconds, and after 10 minutes it will "fail without noticing" - the server logs 2020-11-26 15:10:30 us=755319 cron2-freebsd-tc-amd64/2001:608:0:814::f000:21 --auth-token-gen: auth-token from client expired 2020-11-26 15:10:30 us=755355 cron2-freebsd-tc-amd64/2001:608:0:814::f000:21 TLS: Username/auth-token authentication failed for username 'fbsd-tc-master' (but never tells the client). Eventually the keys time out: 2020-11-26 15:10:50 us=604558 cron2-freebsd-tc-amd64/2001:608:0:814::f000:21 TLS Error: local/remote TLS keys are out of sync: [AF_INET6]2001:608:0:814::f000:21:42838 (received key id: 7, known key ids: [key#0 state=S_ACTIVE auth=KS_AUTH_FALSE id=7 sid=4ead8bbc 11847581] [key#1 state=S_ACTIVE auth=KS_AUTH_TRUE id=6 sid=4ead8bbc 11847581] [key#2 state=S_UNDEF auth=KS_AUTH_FALSE id=0 sid=00000000 00000000]) .. so pings start failing from here. 2020-11-26 15:11:00 us=968564 cron2-freebsd-tc-amd64/2001:608:0:814::f000:21 SIGTERM[soft,auth-control-exit] received, client-instance exiting .. and on the next reneg-interval, the MI is closed. The client runs into *ping* timeout eventually... (but is never told by the server that the server instance went away): 2020-11-26 15:11:00 TLS: soft reset sec=30/30 bytes=7869/-1 pkts=61/0 2020-11-26 15:11:24 [server] Inactivity timeout (--ping-restart), restarting retries after 5s: 2020-11-26 15:11:31 us=7470 2001:608:0:814::f000:21 SENT CONTROL [cron2-freebsd-tc-amd64]: 'AUTH_FAILED,SESSION: token expired' (status=1) here the client *is* told, and re-tries 5 seconds later, with the "non-token" auth: 2020-11-26 15:11:36 us=98591 2001:608:0:814::f000:21 TLS: Username/Password authentication succeeded for username 'fbsd-tc-master' (failure of 51 seconds in here) *With* the patch, there still is silliness involved 2020-11-26 15:42:30 us=587138 cron2-freebsd-tc-amd64/2001:608:0:814::f000:21 --auth-token-gen: auth-token from client expired 2020-11-26 15:42:30 us=587168 cron2-freebsd-tc-amd64/2001:608:0:814::f000:21 TLS: Username/auth-token authentication failed for username 'fbsd-tc-master' 2020-11-26 15:42:30 us=591020 cron2-freebsd-tc-amd64/2001:608:0:814::f000:21 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA 2020-11-26 15:42:45 us=175486 cron2-freebsd-tc-amd64/2001:608:0:814::f000:21 TLS Error: local/remote TLS keys are out of sync: [AF_INET6]2001:608:0:814::f000:21:29307 (received key id: 7, known key ids: [key#0 state=S_ACTIVE auth=KS_AUTH_FALSE id=7 sid=028b5663 63c9dc4d] [key#1 state=S_ACTIVE auth=KS_AUTH_TRUE id=6 sid=028b5663 63c9dc4d] [key#2 state=S_UNDEF auth=KS_AUTH_FALSE id=0 sid=00000000 00000000]) .. and pings fail from 15:42:45 onwards, without telling the client. The improvement bit happens then: 2020-11-26 15:43:00 TLS: soft reset sec=30/30 bytes=7869/-1 pkts=61/0 2020-11-26 15:43:00 AUTH: Received control message: AUTH_FAILED,SESSION: token expired 2020-11-26 15:43:00 Restart pause, 5 second(s) 2020-11-26 15:43:05 [server] Peer Connection Initiated with [AF_INET6]2001:608:0:814::f000:11:51199 So on the next renegotiation the client will receive a proper error, and can reconnect right away. Ping failure time is down from 51s to 23s, so "improvement" :-) Your patch has been applied to the master branch. commit 55d5eaa3e021a21b9537a474c46636d4c2dcdac5 Author: Arne Schwabe Date: Fri Oct 23 14:02:58 2020 +0200 Send AUTH_FAILED message to clients on renegotiation failures Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20201023120259.29783-6-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21222.html Signed-off-by: Gert Doering <gert@greenie.muc.de> -- kind regards, Gert Doering
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 958246c4..67615a6b 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -155,7 +155,14 @@ check_tls(struct context *c) } else if (tmp_status == TLSMP_KILL) { - register_signal(c, SIGTERM, "auth-control-exit"); + if (c->options.mode == MODE_SERVER) + { + send_auth_failed(c, c->c2.tls_multi->client_reason); + } + else + { + register_signal(c, SIGTERM, "auth-control-exit"); + } } interval_future_trigger(&c->c2.tmp_int, wakeup);
This changes the exit in server mode on renegotiation to an exit that also sends an AUTH_FAILED to the client. Any previously set failed auth reason is passed to the client. Signed-off-by: Arne Schwabe <arne@rfc2549.org> --- src/openvpn/forward.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-)