Re: [Openvpn-devel] [PATCH 1/2] Send auth-fail messages to clients on renegotiation failures via auth-token or user-pass expiry

Am 25.08.20 um 01:51 schrieb Eric Thorpe: > Hi Selva, > >> In multi_connection_estableished, we have >> >> #ifdef MANAGEMENT_DEF_AUTH >>     if (management) >>     { >>         management_connection_established(management, >>                                           &mi->context.c2.mda_context, >

[Openvpn-devel] [PATCH] Fix compilation with older mbed TLS versions (mbedtls_tls_prf_types undefined)

The usage of the new keying material methods was not properly guarded. To avoid a number of ifdefs this commit uses a dummy struct and function. When we eventually drop support for non-EKM mbed TLS version we can remove these. Signed-off-by: Arne Schwabe --- src/openvpn/ssl_mbedtls.c | 10 +

Re: [Openvpn-devel] [PATCH] Adds client-auth-pending-extra management functionality.

Hi Arne, - to avoid the 256 byte management limit and multiple commands use maybe the same approach as client-auth that allows a longer frame, you can still limit that to 1024. To be clear here, it isn't so much the limitation of the management or control channel, it's situations where a tun-mt

Re: [Openvpn-devel] [PATCH 1/2] Send auth-fail messages to clients on renegotiation failures via auth-token or user-pass expiry

Hi Selva, In multi_connection_estableished, we have #ifdef MANAGEMENT_DEF_AUTH     if (management)     {         management_connection_established(management, &mi->context.c2.mda_context, mi->context.c2.es );     } #endif I do not see why this requires --management-client-

[Openvpn-devel] [PATCH] Add DNS SRV host discovery support

DNS SRV (rfc2782) support allows to use several OpenVPN servers for a single domain w/o explicit profile enumerating, to move services from host to host with little fuss, and to designate some hosts as primary servers for a service and others as backups. OpenVPN client ask for a specific service/pr

Re: [Openvpn-devel] [PATCH applied] Re: Refactor key_state_export_keying_material functions

Hi, this commit seems to require a more recent mbedTLS version - it fails a number of my buildslaves with gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../include -I../../src/compat -DPLUGIN_LIBDIR=\"/usr/local/lib/openvpn/plugins\" -Wall -Wno-unused-parameter -Wno-unused-

Re: [Openvpn-devel] [PATCH] Adds client-auth-pending-extra management functionality.

Am 24.08.20 um 09:59 schrieb Eric Thorpe: > Hi Arne, > > The main scenario this addresses is 2FA authentication which needs to > transmit very long responses such as those requiring keys. In these > cases, the responses can be upwards of 1500 bytes. Management is > restricted (currently) to 256 by

Re: [Openvpn-devel] [PATCH 1/2] Send auth-fail messages to clients on renegotiation failures via auth-token or user-pass expiry

On Mon, Aug 24, 2020 at 3:49 AM Eric Thorpe wrote: > Hi Selva, > > my suggestion would be to make > this conditional on MANAGEMNET_DEF_AUTH so that we can > then get it from session->opt->mda_context just as we do it when > auth is done via the management. In practice, that would cover > most bu

Re: [Openvpn-devel] [PATCH] Adds client-auth-pending-extra management functionality.

Hi Arne, The main scenario this addresses is 2FA authentication which needs to transmit very long responses such as those requiring keys. In these cases, the responses can be upwards of 1500 bytes. Management is restricted (currently) to 256 bytes and the control channel I believe to 1024, ho

Re: [Openvpn-devel] [PATCH 1/2] Send auth-fail messages to clients on renegotiation failures via auth-token or user-pass expiry

Hi Selva, my suggestion would be to make this conditional on MANAGEMNET_DEF_AUTH so that we can then get it from  session->opt->mda_context just as we do it when auth is done via the management. In practice, that would cover most builds where this is really useful. Unfortunately this doesn't hel