Hi, On 21-12-2020 21:25, Arne Schwabe wrote: > Am 21.12.20 um 20:11 schrieb Gert Doering: >> On Mon, Dec 21, 2020 at 06:24:36PM +0000, Greg Cox wrote: >>> If the software were >>> to contain a mechanism to make certain failure cases automatically more >>> prominent, particularly for 'simple' users who have GUI clients, it'll be a >>> big win for supportability on larger installs. >> >> This is indeed getting into philosophy... we do send different types of >> AUTH_FAILED today (like, for token expired). Maybe we could send an >> "AUTH_FAILED,cert expired" and have the client display this? >> >> (I admit that I'm neither an expert on AUTH_FAILED message, nor on >> "what is the client doing on variations of it", nor on "what *should* >> be the expected outcome?". Selva, Arne will know more). > > It is easy to add that message, [...]
Uhm, I would say it's impossible to send that message. AUTH_FAILED messages are sent over the control channel, while in case of certificate errors the control channel will never be initialized. We could however do something that has the same effect: don't prevent TLS from sending it's "certificate_expired" alert. OpenVPN 2 (don't know about 3) currently just doesn't respond at all if it detects a TLS error. IIRC, this extra-paranoid behaviour has saved us from at least one of the timing-based attacks on TLS from the past, but I can't recall which one. At the same time, the TLS protocol and it's implementation have matured a lot since heartbleed. Possibly beyond the point where usability concerns now outweigh the security concerns. Before anyone suggests making this optional: no. no. no. I strongly believer we should carefully consider if we want to allow TLS to send alerts, or leave this as-is. David actually already brought this up in 2016, see this thread: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12892.html Note that any of this is separate from the initial discussion, where Gert proposes to send notifications *before* the certificate expires. -Steffan _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
