From patchwork Thu Mar 26 06:23:30 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1054 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id 6PcvImLlfF52KAAAIUCqbw for ; Thu, 26 Mar 2020 13:24:50 -0400 Received: from proxy16.mail.ord1d.rsapps.net ([172.30.191.6]) by director8.mail.ord1d.rsapps.net with LMTP id GGVbImLlfF5RcAAAfY0hYg ; Thu, 26 Mar 2020 13:24:50 -0400 Received: from smtp6.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy16.mail.ord1d.rsapps.net with LMTP id gIKCIGLlfF41JgAAetu3IA ; Thu, 26 Mar 2020 13:24:50 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp6.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: b21e08e0-6f86-11ea-82ef-52540050e3e0-1-1 Received: from [216.105.38.7] ([216.105.38.7:42226] helo=lists.sourceforge.net) by smtp6.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 75/08-00434-165EC7E5; Thu, 26 Mar 2020 13:24:50 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jHWET-0004Xk-AM; Thu, 26 Mar 2020 17:23:53 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jHWEQ-0004XO-Pn for openvpn-devel@lists.sourceforge.net; Thu, 26 Mar 2020 17:23:50 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=CJZu5qIxcoT59MzYRD9hRMgI2WtIZ58KCmLqxWUl9dU=; b=NL02fTHQqpMTU+XXOrvyAOWOfg KW7RFR3YjUsp60UrJKg5ZxI3F4BVjYCMd92xWTp06AN/XKR9vaFCfMfEYzlr8o4MPcP3o3qlYgwbN iNhRymlgoWND0XxVkD/QLFSAg8FAwzSNgvK2xP785+Yhl1RPRTYlFEPvbXqfqJ/6tXlQ=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:MIME-Version: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=CJZu5qIxcoT59MzYRD9hRMgI2WtIZ58KCmLqxWUl9dU=; b=V4jUoRTb50ALgNFcui4RvyUh4Z Y2VAx0A89kFn9bQ/PMzr1x26C1xX9md86r8NSZMqXwTYuW4vXFKOi/2CtlSj1rdFsKedEWmS4BNsf HC9kf+2RF9/631PpN0AxbYbHnRSMVFGORLZEO/xlB0hN1igVHHNfVp6bt44hPjDwTZfA=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jHWEM-008M2G-ND for openvpn-devel@lists.sourceforge.net; Thu, 26 Mar 2020 17:23:50 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.92.3 (FreeBSD)) (envelope-from ) id 1jHWE8-000DaQ-Rd for openvpn-devel@lists.sourceforge.net; Thu, 26 Mar 2020 18:23:32 +0100 Received: (nullmailer pid 2401 invoked by uid 10006); Thu, 26 Mar 2020 17:23:32 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 26 Mar 2020 18:23:30 +0100 Message-Id: <20200326172332.2356-1-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1jHWEM-008M2G-ND Subject: [Openvpn-devel] [PATCH 1/3] [Auth-token] Fix session id and initial timestamp not begin preserved X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox In the initial state of checking whether an auth-token has been validated, the check check if multi->auth_token is already set and only then sets the value. This defeats the purpose and lead to always a new auth-token with new session id and lifetime being generated when the server restarts or the client reconnect to another server. --- src/openvpn/ssl_verify.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index da0966c5..226daf3d 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -1381,7 +1381,7 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, * to store the auth-token in multi->auth_token, so * the initial timestamp and session id can be extracted from it */ - if (multi->auth_token && (multi->auth_token_state_flags & AUTH_TOKEN_HMAC_OK) + if ((multi->auth_token_state_flags & AUTH_TOKEN_HMAC_OK) && !(multi->auth_token_state_flags & AUTH_TOKEN_EXPIRED)) { multi->auth_token = strdup(up->password); From patchwork Thu Mar 26 06:23:31 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1052 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id KLwdK1rlfF5BOgAAIUCqbw for ; Thu, 26 Mar 2020 13:24:42 -0400 Received: from proxy6.mail.ord1d.rsapps.net ([172.30.191.6]) by director9.mail.ord1d.rsapps.net with LMTP id +KH5KlrlfF46WgAAalYnBA ; Thu, 26 Mar 2020 13:24:42 -0400 Received: from smtp29.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy6.mail.ord1d.rsapps.net with LMTP id yBSAKlrlfF6QXgAAQyIf0w ; Thu, 26 Mar 2020 13:24:42 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp29.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: acfc798c-6f86-11ea-8e05-525400f257a9-1-1 Received: from [216.105.38.7] ([216.105.38.7:37856] helo=lists.sourceforge.net) by smtp29.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 8C/0B-30216-955EC7E5; Thu, 26 Mar 2020 13:24:41 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jHWEQ-0004e9-7l; Thu, 26 Mar 2020 17:23:50 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jHWEO-0004e1-LL for openvpn-devel@lists.sourceforge.net; Thu, 26 Mar 2020 17:23:48 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Ceyk6OzJ853KzZ0kDaqxHi6A8/P5Klg3D/J/xPoAuhY=; b=iqav5OJJb4e1ojdCnokEsG7RSY 2AqYfE4ULAdeiH5QMwiWIz3seaARNGNcVLOEvUxehOD3t3OnzQGF4qHxijqQFsWyqbM+u74VIO7ZK nWFSGCOLNrSwcTei6AtYhcf1tyExydmqZpzX1GVu0VnUTl+89EzjuBU8l7jQnDbWH5hk=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Ceyk6OzJ853KzZ0kDaqxHi6A8/P5Klg3D/J/xPoAuhY=; b=VRSg7E8TQR4NMvgiYL7FPP67LF W7CnTLaQESOnES40IF+5rf4InGZxvIGUReIQ+Cd5iA18xHaux0D7YxBP5QsfAJGwNKdoCtQBKf8t8 CXEf6HClR3WcK8GyCV8qDiyJYcFpPDftSqFirKLx0kgc3Bk1g0qij/U0+NOMZiLcIxnw=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jHWEI-000nit-0C for openvpn-devel@lists.sourceforge.net; Thu, 26 Mar 2020 17:23:48 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.92.3 (FreeBSD)) (envelope-from ) id 1jHWE8-000DaT-UQ for openvpn-devel@lists.sourceforge.net; Thu, 26 Mar 2020 18:23:32 +0100 Received: (nullmailer pid 2404 invoked by uid 10006); Thu, 26 Mar 2020 17:23:32 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 26 Mar 2020 18:23:31 +0100 Message-Id: <20200326172332.2356-2-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200326172332.2356-1-arne@rfc2549.org> References: <20200326172332.2356-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1jHWEI-000nit-0C Subject: [Openvpn-devel] [PATCH 2/3] [Auth-token] Fix session id in env missing first byte X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox sizeof for a constant string return the size including the null byte. For copying the session id this meant that we do not copy the first byte. This made the session id reported to the external authenticator one byte shorter than it was indented to be. Acked-by: Gert Doering --- src/openvpn/auth_token.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/openvpn/auth_token.c b/src/openvpn/auth_token.c index 6275299d..585679dc 100644 --- a/src/openvpn/auth_token.c +++ b/src/openvpn/auth_token.c @@ -121,7 +121,7 @@ add_session_token_env(struct tls_session *session, struct tls_multi *multi, */ char session_id[AUTH_TOKEN_SESSION_ID_LEN*2] = {0}; - memcpy(session_id, session_id_source + sizeof(SESSION_ID_PREFIX), + memcpy(session_id, session_id_source + strlen(SESSION_ID_PREFIX), AUTH_TOKEN_SESSION_ID_LEN*8/6); setenv_str(session->opt->es, "session_id", session_id); From patchwork Thu Mar 26 06:23:32 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1053 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id 8PIqBlzlfF7ULwAAIUCqbw for ; Thu, 26 Mar 2020 13:24:44 -0400 Received: from proxy9.mail.ord1d.rsapps.net ([172.30.191.6]) by director11.mail.ord1d.rsapps.net with LMTP id 4J/eBVzlfF7+VQAAvGGmqA ; Thu, 26 Mar 2020 13:24:44 -0400 Received: from smtp5.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy9.mail.ord1d.rsapps.net with LMTP id oNrVBFzlfF6EXQAA7h+8OQ ; Thu, 26 Mar 2020 13:24:44 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp5.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: ae22440e-6f86-11ea-a106-525400d73c44-1-1 Received: from [216.105.38.7] ([216.105.38.7:37868] helo=lists.sourceforge.net) by smtp5.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id CD/0F-19730-B55EC7E5; Thu, 26 Mar 2020 13:24:43 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jHWER-0004eR-Ax; Thu, 26 Mar 2020 17:23:51 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jHWEQ-0004eI-FQ for openvpn-devel@lists.sourceforge.net; Thu, 26 Mar 2020 17:23:50 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=HebUJJXaR7Vd7jBdyn090BwU2OQz5kDcdRBvzu6bI4k=; b=JPB7+eWOEK9mPAXcR+ORL1Jh/A Sh2F4tgdvSm9ZTh1Jp4SnS2gYFRO3gl1/tGXFt1t7rO8TEo9sldfg84O3DQ7sS54hWL410gFdzyWR +rURJaBhqX9gPALzI9WovDPPwMs1j91vv6k3N2xUU6oNZ0fLi0QHqxVMq+rckXOMFG3Q=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=HebUJJXaR7Vd7jBdyn090BwU2OQz5kDcdRBvzu6bI4k=; b=g9NlBQpjJSMQq5OTkYZEhZitkx A2q+G1qFPQBA3FnsiPxtXfH5wVZ1aNBgmFp36u87aPVa9sra0cYlY9PPZj1cQAfqCiYGnQ7BKERoO kESFgA0XN3LDvhbkwOv7uUyXMNovjfA9bFC5LE+cYYsNjNEQlS0SZc3e0hLIVJCoCEwY=; Received: from [192.26.174.232] (helo=mail.blinkt.de) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jHWEP-004eCw-Fq for openvpn-devel@lists.sourceforge.net; Thu, 26 Mar 2020 17:23:50 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.92.3 (FreeBSD)) (envelope-from ) id 1jHWE9-000DaY-0X for openvpn-devel@lists.sourceforge.net; Thu, 26 Mar 2020 18:23:33 +0100 Received: (nullmailer pid 2407 invoked by uid 10006); Thu, 26 Mar 2020 17:23:32 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 26 Mar 2020 18:23:32 +0100 Message-Id: <20200326172332.2356-3-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200326172332.2356-1-arne@rfc2549.org> References: <20200326172332.2356-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 1.0 RDNS_NONE Delivered to internal network by a host with no rDNS -0.5 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1jHWEP-004eCw-Fq Subject: [Openvpn-devel] [PATCH 3/3] [auth-token] Document reneweal mechanic of auth-token in manual X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Our man page was missing the information that the life time of the auth-token also depends on the reneg-sec Acked-by: Gert Doering --- doc/openvpn.8 | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 864f94e8..f890e7a2 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -3741,6 +3741,12 @@ argument defines how long the generated token is valid. The lifetime is defined in seconds. If lifetime is not set or it is set to 0, the token will never expire. +The token will expire either after the lifetime of the token or after +not being renewed for 2 * +.B reneg\-sec +seconds. Clients are being send renewed tokens on every +TLS renogiation to keep the client's token updated. + This feature is useful for environments which is configured to use One Time Passwords (OTP) as part of the user/password authentications and that authentication mechanism does not