Hi, On Mon, Dec 21, 2020 at 06:24:36PM +0000, Greg Cox wrote: > My contention is, a VPN client has enough information from its own certs to > know when its certs are expired and thus not going to work (Yes, there's > plenty of OTHER reasons a connection can fail, but in a well designed > setup, the user's certs will go stale long before the server). It tells > you this problem in the logs, which folks never read.
We consciously decided to make this not more prominent (so, warning only,
not error) because the client's machine's time might be wrong - and
ultimately it's the server's notion of time that decides if the cert
is valid or not. So this is a hint, but not a "IT WILL NOT WORK!" hard
error.
> If the software were
> to contain a mechanism to make certain failure cases automatically more
> prominent, particularly for 'simple' users who have GUI clients, it'll be a
> big win for supportability on larger installs.
This is indeed getting into philosophy... we do send different types of
AUTH_FAILED today (like, for token expired). Maybe we could send an
"AUTH_FAILED,cert expired" and have the client display this?
(I admit that I'm neither an expert on AUTH_FAILED message, nor on
"what is the client doing on variations of it", nor on "what *should*
be the expected outcome?". Selva, Arne will know more).
> And I realize this is getting into advocacy and away from what's right for
> a -devel list, so I'll stop here on this thread.
I find this a very useful exchange, and I would call it "on-topic on
openvpn-devel". The openvpn-users list is more about "end user issues",
but what you and Max bring forward is "this is where openvpn could be
more helpful for admins" - and we developers want to listen to that :-)
For me, openvpn usually does what I want (and if not, I start threads
like this one, and try to either code it myself or convince one of the
others that "we!" want to have this and they should code it :-) ) - but
since this is openvpn, there is a myriad other ways to use it which I
might have never thought about...
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
