Hi,
Gert Doering wrote:
Hi,
On Tue, Sep 14, 2010 at 09:58:19AM +1200, Jason Haar wrote:
On 09/14/2010 08:52 AM, Brad Dameron wrote:
Also can there be reporting added for the server side to show what
version the client is connecting with?
I agree. I have previously asked for client version and OS to be
"pushed" during the initial phase so that the server can be decisions
based on it.
As far as I understand the code (check_incoming_control_channel_dowork()
in forward.c) this should be doable without breaking compatibility to
older servers - new control messages can be added, and a server that
does not understand them will just log a warning:
...
if (buf_string_match_head_str (&buf, "AUTH_FAILED"))
receive_auth_failed (c, &buf);
else if (buf_string_match_head_str (&buf, "PUSH_"))
incoming_push_message (c, &buf);
else if (buf_string_match_head_str (&buf, "RESTART"))
server_pushed_restart (c, &buf);
else
msg (D_PUSH_ERRORS, "WARNING: Received unknown control message: %s",
BSTR (&buf));
is the control message stage early enough? that means authentication has
been completed, and the client_connect script has been run (or am I
mistaken? please correct me if I am wrong). I could foresee that an
administrator wants to specify a different client_connect script
depending on the client version, or that an administrator wants to not
even allow access by older clients (e.g. at the tls-verify level)
JM2CW,
JJK
So...
- someone needs to specify the control message
- someone needs to implement sending it on the client side
- someone needs to think about the planned-usage on the server side
(present at management interface? put into environment for scripts/
plugins? if yes, structured environment variables or just one big
"lump" with whatever the client puts in there?)
- someone needs to implement parsing the control message on the server
side and distribute the resulting information to server-side config
structures and to plugins/scripts
- someone else needs to review and ACK.
I'm fairly busy with the IPv6 stuff (and with earning a living), so I won't
implement this, but I'm happy to help with it - bounce ideas around,
discuss in #openvpn-devel on irc.freenode.net, etc.
gert
------------------------------------------------------------------------