-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi,
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Friday, 23 April 2021 08:12, Antonio Quartulli <a...@unstable.cc> wrote: > Hi, > > On 22/04/2021 23:02, tincantech via Openvpn-devel wrote: > > > hi, > > I am requesting that $daemon_pid be added to the --tls-crypt-v2-verify > > environment. > > The environment for --tls-crypt-v2-verify was designed to be extremely > minimal. > Anything concerning tls-crypt verification was designed to be as minimal > as possible. > > Indeed, differently from other scripts, the env for tls-crypt-v2 is > created empty and then only a very few variables are added. > > Anything that was deemed not necessary for the metadata verification was > not passed. I understand your reasoning, however, in the case of daemon_pid would you not consider the process to be "more secure" if openvpn *does* provide the PID in the environment, rather than have the script read the PID from a file? Having to configure openvpn to write the PID and then read the PID is two steps which can introduce user bound misconfiguration errors. > > I can imagine you have a usecase for daemon_pid, but I am sure more > people will have other arguments for other variables as well. Hence the > idea to design something extremely minimal and leave more complex logics > to following (post-auth) steps. I reviewed all the other variables for inclusion viability and, with the exception of "untrusted_ip / untrusted_ip6", I came to the conclusion that the *only* variable which does come with a genuine security bonus is daemon_pid. (As outlined in my previous comment) As for untrusted_ip*, it definitely could be useful to --tls-crypt-v2-verify but I'm not asking for that here. Perhaps on reading this other members will see how it can be of benefit to the scripts versatility.. (The same goes for untrusted_port but that seems less useful over all) I would also quote that old, old expression "Security through Obscurity" https://en.wikipedia.org/wiki/Security_through_obscurity > > > FTR: $daemon_pid is currently undocumented in all three manuals. > > It'd be nice to have such documentation added :-) I hope that your not suggesting that I provide documentation for something which you then refuse to allow me to use ? ;-) Not only but also, "you give a little, you get a little" :D In conclusion, I request that OpenVPN review their earlier decision to be so *cruelly frugal* to --tls-crypt-v2-verify, on this one occasion. Thanks for your informed and collective consideration, R -----BEGIN PGP SIGNATURE----- Version: ProtonMail wsBzBAEBCAAGBQJggrqWACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ1ZWwgAkgKYkbfa04CCrqu2pVYxYnt4bcRCvMV7qI8RM37PliG8b2Bx 6qDPMUAZ1DwIL59WKYahtKOIVcp5gLXLoAlrfJy+FMRfJodnGT3iPz3no+Ew HWTsiwTXjUozGnD3fIviVfzbcXIb082WRzKP1/IpAtTztnBv6Aq6i5vLb/mJ Ghh/YJIDsaV012dz8qLX9oVbmd8SycfyhKa8E1IwlpkbHsJlqUYo/rxOeXTY 1q4J07aNk1bwPAQU0bWbxf04ItLqeAnoWESnaTc6gWz4fXaRM3XiMuUDFzFl 6FFRQeGkrJAdY2N/ZdAwcNSY3PDkFmu5MPBoaw6lmeBMMoFxG4S/kg== =ZBp4 -----END PGP SIGNATURE-----
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
