On Wed, Feb 1, 2017 at 3:33 AM, Antonio Quartulli <a...@unstable.cc> wrote:
> On Wed, Feb 01, 2017 at 11:04:55AM +0800, Antonio Quartulli wrote:
> > > That said, there is one issue with this approach. Looks like SIGUSR1
> > > restarts will now always prompt for proxy password, which is not
> proper.
> >
> > Right! Thanks for pointing this out!
>
> Actually I'd like to understand the expected behaviour: if SIGUSR1 is
> issued,
> openvpn should re-read the file containing the HTTP proxy credentials,
> but, if
> stdin was specified, it should not ask the user for user/pass again ?
>
> So in case of stdin the only way to re-enter the user/pass is to restart
> openvpn?
>
> What's your opinion on this?
I wrote SIGUSR1 but its the same with SIGHUP. All [*] passwords are cached
by default and http-proxy password is always cached (auth-nocache or not).
So the expected behaviour is password to be read only once during the
lifetime of the process unless an auth error happens.
The source of the password does not matter (stdin, systemd, file, mgmt,
inline et..), its always read using get_user_pass which gets it afresh if
no cached copy is available.
With only one cache per password type, this expects passwords are not
remote-specific. As we support only one auth-user-pass or one private key
pass per config I think the intent was to support only one proxy password.
Allowing http-proxy in <connection/> block gives a different impression,
though..
Selva
[*] Not sure about socks password
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
