From patchwork Thu Dec 8 15:31:29 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2893 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:622a:418d:b0:3a5:7962:c21f with SMTP id cd13csp335734qtb; Thu, 8 Dec 2022 07:32:49 -0800 (PST) X-Google-Smtp-Source: AA0mqf4qPxV9rUeDMMSWg7SG1//yVUp18iiPXkUsJBtioGa15+lkJtyKgT4R2nB6J8B+I/UIFEm7 X-Received: by 2002:a05:6a20:47d3:b0:9e:7648:8fcb with SMTP id ey19-20020a056a2047d300b0009e76488fcbmr2890740pzb.59.1670513568834; Thu, 08 Dec 2022 07:32:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1670513568; cv=none; d=google.com; s=arc-20160816; b=orWrWkx7Ef6ocGnWT4Ebj5Qa2kkglc/qv76gV3DElPli8E5gOZLHjHYfDQYHPtjAA+ 4023cwQoBTTyNktvwSySYV6nbh1fTBN1vSujEfushNBBJ3UzP9hQGb73iCvKLB+FwPHc ifmDAR1N9TIup92zsXSotFRfLh+C0C9SGhnlG8HThbRFag06C55XeGupOVpcLvrdn6VA xUeXM7+KOP0lv1E0BSQNlZ/6iTS3dNF0fO/AAhPk5V9sI/cbS+KYTeyGTACSHWu9JZqT saFoeEu94E7/N7/sCZSxxXdm0G+TfMZpLOMcuUP1S9dko1p1cp882iWBDyE5OFU20WoM 5aSA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature; bh=dnmNqq37eZ88H0s4gXrQikdHS/niSg1QE6hM3T15nZs=; b=GtvkX/cGrZsl3yva9YNxcik5rbHUXx3MrtOnzI+ZbP8aC2g1sdLsn5ZYOPi/nJcvFn 59+RbQ2hrJh7OVi79bGx3fl9chCf9dL0AyuZrKhO0NUUfxqyMRQtKOy07DfL/7wP9qDa 62c4vooy7QHORmAPcjecUi6qManVXstOIIxlTTTHlqqZRhqokec2W9liq2U8ynlriEu2 Fndyx+8kJv02qbDlkzn1jIzgToAKCMG7rXLCmLgP28vQ1I7lW0ns5YAegaYVwtNdEpv9 UsomicaZ+hJL3cPutKA6dhAT4xm413qMGld+qeHzrfx7hxoJUshpgeQtH4Un1f+BbZvU mfow== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="Q/lRN7UA"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=NG+XZE9F; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id gl20-20020a17090b121400b002190fb26b8csi4207265pjb.51.2022.12.08.07.32.48 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 08 Dec 2022 07:32:48 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="Q/lRN7UA"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=NG+XZE9F; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1p3IsC-0004KA-Sv; Thu, 08 Dec 2022 15:31:44 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1p3IsB-0004K4-Dk for openvpn-devel@lists.sourceforge.net; Thu, 08 Dec 2022 15:31:43 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=7gzaC8rkbsgt0c/NT+D1Vuv7ERSWqdLAV90ObVfugCk=; b=Q/lRN7UA4Au7VCelm1z4QjmV55 HiZm566IW1sKN2kvZF92fgCp8jdK6ZgQn8+I1jepiZwVu5YLeB5O55dpzco+LACJv6xjdTjqtZkDb 5t2TJwK+scNWp5kfIXDyD5rSGI9oMjCSOr12EYHdrUQrzBdTbZR49rDLaGvPPHdBp3oU=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=7gzaC8rkbsgt0c/NT+D1Vuv7ERSWqdLAV90ObVfugCk=; b=N G+XZE9FYrpT0m31mj0V3PbURJQ06wpj3VMODTGh1B1Dd6TRO5N3sjQgPZiTkJI09J2B0jAZL2h/sU TqegDRfQJrCV4CfpJ8D2BxUBNAZlGUV7iTrUk80jd7NjJ1SkVOG1oFdeL/a4LygrOfFxqNua6zL1n xTPGQCT+QOOxk9+o=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1p3IsA-0001rs-4q for openvpn-devel@lists.sourceforge.net; Thu, 08 Dec 2022 15:31:43 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1p3Irx-0006ec-E9 for openvpn-devel@lists.sourceforge.net; Thu, 08 Dec 2022 16:31:29 +0100 Received: (nullmailer pid 1207277 invoked by uid 10006); Thu, 08 Dec 2022 15:31:29 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 8 Dec 2022 16:31:29 +0100 Message-Id: <20221208153129.1207228-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Score: 0.3 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Currently we still allow clients to connect while the server is waiting to shut down. This window is very small (2s) and is only used when explicit-exit-notify is enabled on the server side. The chance of a client connecting during this time period is very low unless someone puts something stupid like --connect-retry 1 3 into his/her client config and forces the client to reconnect during [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different X-Headers-End: 1p3IsA-0001rs-4q Subject: [Openvpn-devel] [PATCH] Ignore connection attempts while server is shutting down X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1751660436376449346?= X-GMAIL-MSGID: =?utf-8?q?1751660436376449346?= Currently we still allow clients to connect while the server is waiting to shut down. This window is very small (2s) and is only used when explicit-exit-notify is enabled on the server side. The chance of a client connecting during this time period is very low unless someone puts something stupid like --connect-retry 1 3 into his/her client config and forces the client to reconnect during this time period. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/mudp.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c index bdf35a8ba..458152335 100644 --- a/src/openvpn/mudp.c +++ b/src/openvpn/mudp.c @@ -229,8 +229,13 @@ multi_get_create_instance_udp(struct multi_context *m, bool *floated) if (!mi) { struct tls_pre_decrypt_state state = {0}; - - if (do_pre_decrypt_check(m, &state, real)) + if (m->deferred_shutdown_signal.signal_received) + { + msg(D_MULTI_ERRORS, + "MULTI: Connection attempt from %s ignored while server is " + "shutting down", mroute_addr_print(&real, &gc)); + } + else if (do_pre_decrypt_check(m, &state, real)) { /* This is an unknown session but with valid tls-auth/tls-crypt * (or no auth at all). If this is the initial packet of a