Hi, On Mon, Oct 10, 2022 at 09:12:29AM +0200, Gert Doering wrote: > We do not permit username changes on renegotiation (= username is > "locked" after successful initial authentication). > > Unfortunately the way this is written this gets in the way of using > auth-user-pass-optional + pushing "auth-token-user" from client-connect > (and most likely also "from management") because we'll lock an empty > username, and on renegotiation, refuse the client with > > TLS Auth Error: username attempted to change from > '' to 'MyTokenUser' -- tunnel disabled > > Fix: extend "is username a valid pointer" to "... and points to a > non-empty string" before locking.
FTR, this patch was superseded by Arne's "--override-username" patch
which just now landed in master.
commit ebd433bd1e40917793903f76883d114d820e992d
Author: Arne Schwabe <a...@rfc2549.org>
Date: Tue Mar 11 16:59:04 2025 +0100
Implement override-username
Also FTR, this is also https://github.com/OpenVPN/openvpn/issues/299
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
