On 27/06/18 23:56, Jonathan K. Bullard wrote:
> Hi.
>
> I'm hoping to implement challenge/response ("CR") in Tunnelblick (GUI
> for OpenVPN on macOS) and have some questions after reading the
> documentation [1];I don't know all the details of the static and dynamic challenge implementation, but I've played a bit with it and knows some of this protocol. We will also try to have some server side testing tools available for the CR protocol in not too far future. In the mean time, the OpenVPN Access Server is capable of this feature, and there is a test license in all downloads allowing two connections for free. > 1. In Dynamic CR, does requiring a response mean that a non-empty > response is required? Yes. > 2. In Dynamic CR, what is the purpose of _not_ requiring a response? > Is it to display a message without a text input box and have the user > only able to click "OK" or "Cancel" (and disconnect if the user clicks > "Cancel")? Or should I display a text input box but allow the user to > leave it empty (and send an empty "response" to the server?) My understanding is that it is just used to provide information to the end user. However, I think this is designed to be flexible enough so the server can indicate in the challenge text whether a response is required or not. For example, this can be used to ask a user for ToS, where the user must type in a specific string to get the connection established. Also beware that the user may be receive more dynamic challenges to fully authenticate. But that would typically be a "loop" on the client side, whenever a challenge is received, tackle that. But ... lets also be somewhat realistic in your implementation. To my knowledge, Access Server is the most commonly available implementation of dynamic challenges. So if you make things work against an Access Server, you can consider that a reasonable client implementation. If others discover other ways to use the CR protocol, lets tackle that when that occurs. > 3. In Dynamic CR, what is the purpose of passing the username from the > server to the client and then back to the server? For example, am I > supposed to display the username along with the challenge? The connection/session is torn down when the dynamic CR is sent. So this username is used by the server side to match an ongoing client authentication. The server implementation of the CR protocol can have implemented using a different and "unexpected" username to continue the authentication. > 4. Are there any conventions about the "challenge" string? For > example, should "\n" be interpreted as a newline? Hmmm .... this is indeed not clear in the documentation. For now, I would expect the challenge to be a single line only and any control characters below 0x20 to result in unspecified behaviour. > 5. Other than not being a great workflow, is there any problem with > displaying the static CR in a separate dialog after the > username/password have been entered? For static CR, you gather everything before connecting. So this is entirely up to how you want the client side workflow to be. Something we probably should do is to have closer look at the possibilities this protocol allows and try to narrow it down to a clearer scope and ensure this is clear in the management-notes.txt. Like the \n and the use cases of dynamic CR without required response. -- kind regards, David Sommerseth OpenVPN Inc
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
