Am 21.12.20 um 20:11 schrieb Gert Doering: > Hi, > > On Mon, Dec 21, 2020 at 06:24:36PM +0000, Greg Cox wrote: >> My contention is, a VPN client has enough information from its own certs to >> know when its certs are expired and thus not going to work (Yes, there's >> plenty of OTHER reasons a connection can fail, but in a well designed >> setup, the user's certs will go stale long before the server). It tells >> you this problem in the logs, which folks never read. > > We consciously decided to make this not more prominent (so, warning only, > not error) because the client's machine's time might be wrong - and > ultimately it's the server's notion of time that decides if the cert > is valid or not. So this is a hint, but not a "IT WILL NOT WORK!" hard > error. > >> If the software were >> to contain a mechanism to make certain failure cases automatically more >> prominent, particularly for 'simple' users who have GUI clients, it'll be a >> big win for supportability on larger installs. > > This is indeed getting into philosophy... we do send different types of > AUTH_FAILED today (like, for token expired). Maybe we could send an > "AUTH_FAILED,cert expired" and have the client display this? > > (I admit that I'm neither an expert on AUTH_FAILED message, nor on > "what is the client doing on variations of it", nor on "what *should* > be the expected outcome?". Selva, Arne will know more).
It is easy to add that message, however the question is if we want to. Sending different AUTH_FAILED message also leaks information. Especially with authentication you don't want to give an attacker an idea how they get before failing the authentication. I.e. if you send User disable, certificate expired, account not allow to use VPN etc. an attacker gets information about the account/profile he using to connect. So with these AUTH_FAILED codes you have to be very careful not to accidently leak information. I.e. AUTH_FAILED, cert expired happens only if user/pass is right/wrong, otherwise you get a normal AUTH_FAILED. HOWEVER, on the client side. We can transform a normal AUTH_FAILED into an AUTH_FAILED, server gave no reason, [client certificate is expired] or something like that. Arne _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
