Re: [Openvpn-devel] [PATCH v2] Introduce webauth auth pending method and deprecate openurl

Sun, 08 Aug 2021 16:54:04 -0700 

Hi,

-proxy_url
> -========
> -This is a variant of openurl that allows opening a url via an
> +webauth with proxy
> +==================
> +This is a variant of webauth that allows opening a url via an
>  HTTP proxy. It could be used to avoid issues with OpenVPN connection's
>  persist-tun that may cause the web server to be unreachable.
>  The client should announce proxy_url in its IV_SSO and parse the
>  PROXY_URL message. The format of {EXTRA} in this case is
>

"PROXY_URL message"  above should be replaced by "proxy flag and related
flags in the message" (Gert has already pointed this out.)
But we keep the requirement that compliant clients should announce "proxy"
in IV_SSO, right? As the flag is called "proxy", I suggest we change that
IV_SSO value to "proxy" as well.

With "flags", WEBAUTH  is extensible and we have to decide which features
require an explicit announce from the client. As not every client may be
ready to support proxy, looks reasonable to require it in IV_SSO.

We may soon require a section titled IV_SSO and list all legal values in
there.

-
> PROXY_URL:<proxy>:<proxy_port>:<proxyuser_base64>:<proxy_password_base64>:url
> +
> WEB_AUTH:proxy=<proxy>;<proxy_port>;<proxyuser_base64>;<proxy_password_base64>,flags:url
>

This may be an opportunity to change proxyuser_base64 to proxy_user_base64
as well. That would match proxy_password_base64 and proxy_port.


>
>  The proxy should be a literal IPv4 address or IPv6 address enclosed in []
> to avoid
>  ambiguity in parsing. A literal IP address is preferred as DNS might not
> be
> diff --git a/include/openvpn-plugin.h.in b/include/openvpn-plugin.h.in
> index abbfd9c2a..28b845af1 100644
> --- a/include/openvpn-plugin.h.in
> +++ b/include/openvpn-plugin.h.in
> @@ -573,7 +573,7 @@ OPENVPN_PLUGIN_DEF openvpn_plugin_handle_t
> OPENVPN_PLUGIN_FUNC(openvpn_plugin_op
>   * auth_pending_file is
>   * line 1: timeout in seconds
>   * line 2: Pending auth method the client needs to support (e.g. openurl)
> - * line 3: EXTRA (e.g. OPEN_URL:http://www.example.com)
> + * line 3: EXTRA (e.g. WEBAUTH::http://www.example.com)
>   *
>   * In addition the OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER and
>   * OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2 are called when OpenVPN tries to
> --


Looks good otherwise.

Selva

_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel






















					Reply via email to