diff options
author | Arne Schwabe | 2021-07-19 15:31:32 +0200 |
---|---|---|
committer | Gert Doering | 2021-07-28 12:17:13 +0200 |
commit | d75e0736b4a0501a2c038ecb55730bf4f482b990 (patch) | |
tree | 4d46086c718e251fc58c68374a25580e87a0fc54 /doc/man-sections | |
parent | a11bea18b1c93b260352ec505db15be0ec9431ee (diff) | |
download | openvpn-d75e0736b4a0501a2c038ecb55730bf4f482b990.zip openvpn-d75e0736b4a0501a2c038ecb55730bf4f482b990.tar.gz |
Cleanup handling of initial auth token
This changes that auth_token_initial is set when the token is
initially generated instead when pushing the token. Even I do not
know anymore why I did it in this way in the first place. Also use
multi->auth_token_initial as source for the sesssion ID since it should
now always be available. Also set auth_token_initial directly to
up->password once we verified that we have gotten a valid token from
a client. This cleans ups the logic in generating the environment and
makes the code flow clearer.
Since the change makes auth_token_initial always available we need to add
a check to only send a PUSH reply to update the token on renegotiations.
The old code relied on multi->auth_token not being set in this case.
This commit also removes the workaround for old OpenVPN clients. These
were only available as commercial OpenVPN Connect client and not in use
anymore.
Furthermore, introduce a check if the session ID has changed during a
session. Even though this is still a valid authentication changing to
a different auth token mid session is highly irregular and should never
occur naturally.
Patch V2: rebase.
Patch V3: fix formatting, clarifying commit message, remove initial
token workaround for old v3.
Patch v4: move sending the auth-token for renegotiations to a sane place
and trigger it when the TLS session reaches its fully authenticated
state.
Patch v5: Move also setting auth_token_inital from up->password to a more
logical place, general cleanups, add session id mismatch check
Patch v6: Rework some comments and general cleanup of small things
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210719133132.128783-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22645.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'doc/man-sections')
-rw-r--r-- | doc/man-sections/server-options.rst | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index 7154733..f1d2ec3 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -35,7 +35,7 @@ fast hardware. SSL/TLS authentication must be used in this mode. token is reached or after not being renewed for more than 2 \* ``reneg-sec`` seconds. Clients will be sent renewed tokens on every TLS renogiation to keep the client's token updated. This is done to - invalidate a token if a client is disconnected for a sufficently long + invalidate a token if a client is disconnected for a sufficiently long time, while at the same time permitting much longer token lifetimes for active clients. @@ -46,7 +46,7 @@ fast hardware. SSL/TLS authentication must be used in this mode. When the :code:`external-auth` keyword is present the normal authentication method will always be called even if auth-token succeeds. Normally other authentications method are skipped if auth-token - verification suceeds or fails. + verification succeeds or fails. This option postpones this decision to the external authentication methods and checks the validity of the account and do other checks. |