2017-09-11 16:45 GMT+05:00 Jan Just Keijser <janj...@nikhef.nl>:
> Hi,
>
> On 11/09/17 13:22, Илья Шипицин wrote:
>
>> Hello,
>>
>> is someone actually using "tls-verify" in production ?
>> we tried to implement additional certificate check using tls-verify
>>
>>
>> while it works in general, in case when it hits "exit 1", it look like a
>> timeout from client point of view. it is not any good
>>
>
> do you mean that when a client is denied access (i.e. the tls-verify
> script exits 1 on the server) that the client sees this as a timeout? that
> is "normal" behaviour, as the server does not tell the client *WHY* access
> is refused - it simply stop responding to a client that does not pass
> authentication/authorization. The client will not hear from the server, and
> will time out after a specified interval. This is actually the most secure
> way to do things, as a rogue client cannot DoS a server this way.
>
I'd say it depends.
we run a lot of openvpn-gui with real people sitting in front of them, from
their point of view it "oh, it does not work! fix it!"
in out case better UX is to deliver proper reason to the client
for someone maybe the better UX is to keep silence
while I think "exit 1" will not be the most common case (it is rather an
exception), we'd like to deliver better UX to people
>
> HTH,
>
> JJK
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
