Re: [Openvpn-devel] [PATCH] management: Don't require DAF_INITIAL_AUTH to send ADDRESS/DISCONNECT messages

Mon, 25 Jun 2012 12:09:20 +0000 

Le 2012-06-22 13:23, Samuli Seppänen a écrit :

From: Adrien Bustany <adrien.bust...@nokia.com>
DAF_INITIAL_AUTH will only be set if a password was needed for client 
authentication. This means that for password-less certificate
authentication, no DISCONNECT/ADDRESS messages would be sent.
---
 src/openvpn/manage.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c
index 1dddd41..4148f7c 100644
--- a/src/openvpn/manage.c
+++ b/src/openvpn/manage.c
@@ -2474,7 +2474,7 @@ management_notify_client_close (struct management *management, 
                                struct man_def_auth_context *mdac,
                                const struct env_set *es)
 {
- if ((mdac->flags & DAF_INITIAL_AUTH) && !(mdac->flags & DAF_CONNECTION_CLOSED)) 
+  if (!(mdac->flags & DAF_CONNECTION_CLOSED))
     {
       msg (M_CLIENT, ">CLIENT:DISCONNECT,%lu", mdac->cid);
man_output_env (es, true, management->connection.env_filter_level, "CLIENT"); @@ -2489,7 +2489,7 @@ management_learn_addr (struct management *management, 
                       const bool primary)
 {
   struct gc_arena gc = gc_new ();
- if ((mdac->flags & DAF_INITIAL_AUTH) && !(mdac->flags & DAF_CONNECTION_CLOSED)) 
+  if (!(mdac->flags & DAF_CONNECTION_CLOSED))
     {
       msg (M_CLIENT, ">CLIENT:ADDRESS,%lu,%s,%d",
           mdac->cid,

Hi Adrien,

We discussed this patch in our IRC meeting yesterday, and couple of
questions popped up... First, what is the benefit of this patch? Is it 
just to see if the clients connect even if they're not using password
authentication? Second, what's the impact on existing management
interface clients, i.e. can this patch break compatibility?

Best regards,


Hi Samuli
thanks for reviewing the patch. What this patch does is as you said enable a program monitoring the management interface of an openvpn daemon to get connection events for clients authenticating with a password-less TLS certificate. We found it useful, since in our case that's what clients use and we still wanted to monitor who was connected and with what IP. I can't vouch at a 100% for backwards compatibility, mainly since I don't have a windows machine to test the existing management interface. Is there another way to test that? Any unit tests? 

Cheers

Adrien

Reply via email to