Hi Gert,
On 07/11/21 14:55, Gert Doering wrote:
Hi Community,
OpenVPN supports HTTP proxies that require NTLM authentication,
supporting NTLMv1 and NTLMv2 protocols.
This is old code, which was written in the dark ages, is not currently
unit/client tested, and uses DES which got deprecated in OpenSSL 3.0.0...
That said, if people still *use* it, we are likely to keep it - otherwise
it might just become lost :-)
So - if you use HTTP proxy in OpenVPN, and that proxy authenticates
against a Windows AD domain, and you use NTLMv1 or NTLMv2 authentication,
please speak up and tell us about your use case!
it took me a while, but I finallly have a working setup with a Samba
4.15 and a CentOS 7 webserver with mod_auth_ntlm_winbind ; especially
the latter part is tricky/important, as that code is not supported on
newer platforms, it seems.
The good news is: openvpn 2.5.1 still works , both with NTLMv1 and
NTLMv2; I added two debug statements to ntlm.c and can clearly see:
NTLMv1:
2021-12-15 09:36:16 Info: generate NTLM response
2021-12-15 09:36:16 NTLM response: add security buffer
NTLMv2:
2021-12-15 09:35:44 Info: generate NTLMv2 response
2021-12-15 09:35:44 NTLMv2 response: add security buffer
Having said that, I think we can safely drop (at least) NTLMv1 support,
as it is pretty hard to set up a system to support that - easiest way is
to grab a legacy Windows server system (e.g. Windows Server 2003) but
nobody should run that anyways. Or put another way
"if your local proxy is running unsupported legacy code in an
unsecure setup,
then you will have to resort to openvpn 2.4.x "
or similar.
BTW, do you know who worked on the obfuscation/transport API stuff? Was
that David S?
cheers,
JJK / Jan Just Keijser
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel