2017-09-11 16:54 GMT+05:00 Илья Шипицин <chipits...@gmail.com>:
>
>
> 2017-09-11 16:45 GMT+05:00 Jan Just Keijser <janj...@nikhef.nl>:
>
>> Hi,
>>
>> On 11/09/17 13:22, Илья Шипицин wrote:
>>
>>> Hello,
>>>
>>> is someone actually using "tls-verify" in production ?
>>> we tried to implement additional certificate check using tls-verify
>>>
>>>
>>> while it works in general, in case when it hits "exit 1", it look like a
>>> timeout from client point of view. it is not any good
>>>
>>
>> do you mean that when a client is denied access (i.e. the tls-verify
>> script exits 1 on the server) that the client sees this as a timeout? that
>> is "normal" behaviour, as the server does not tell the client *WHY* access
>> is refused - it simply stop responding to a client that does not pass
>> authentication/authorization. The client will not hear from the server, and
>> will time out after a specified interval. This is actually the most secure
>> way to do things, as a rogue client cannot DoS a server this way.
>>
>
> I'd say it depends.
>
> we run a lot of openvpn-gui with real people sitting in front of them,
> from their point of view it "oh, it does not work! fix it!"
> in out case better UX is to deliver proper reason to the client
>
> for someone maybe the better UX is to keep silence
>
what is wrong with timeout is endless retry.
there's no way to pass authentication once it failed, so why does client
have to retry ?
>
>
> while I think "exit 1" will not be the most common case (it is rather an
> exception), we'd like to deliver better UX to people
>
>
>
>>
>> HTH,
>>
>> JJK
>>
>>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
