A bit more thorough review this time. On 05/03/18 16:50, Arne Schwabe wrote: [...snip...] > > This patch changes the client behaviour: > > - Treat a failed auth when using an auth-token as a soft error (USR1) > and clean the auth-token falling back to the original auth method
Conceptually, this makes sense. > - Implement a new pushable option forget-token-reconnect that forces > to forget an auth-token when reconnecting This I am not happy about. We should use an AUTH_FAILED,SESSION:$message approach instead. This is what OpenVPN 3 based clients expects, and it should actually do (read: behave) as the previous point. OpenVPN 2 does not do that, today, so it would need to be taught that instead. > - Sending IV_PROTO=3 to signal that it is safe to send this client an > expiring auth-token And as we shouldn't need forget-token-reconnect, this would also not be needed. > The behaviour of the server option auth-gen-token: > > - Automatically push forget-token-reconnect to avoid a failed > authentication after reconnect This should not be needed with the AUTH_FAILED,SESSION:$message approach. > - By default only send auth-token to clients that will gracefully > handle auth-token to avoid having clients not able to reconnect What do you mean with "gracefully handle auth-token"? By fixing OpenVPN 2's behaviour (as suggested above), it should behave gracefully by default. And I'd be willing to /consider/ this fix even to OpenVPN 2.3 code base, for those who can't upgrade. But it will be a hard sell, though; OpenVPN 2.4 is over a year old already. > - Add a force option to auth-gen-token that allow to ignore if the > client can handle auth-tokens And this should also not be needed. I'll admit I might see this with a bit too narrow perspective. But how I have understood this issue is that OpenVPN 2.x does not behave correctly as it doesn't understand *why* the authentication failed. If the client side would understand why auth failed, then it can query the user for credentials again - which I believe should resolve the current issues ... Or have I missed something? -- kind regards, David Sommerseth OpenVPN Inc
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
