Re: FWD: [PATCH] (Fixed) Support for openvpn --auth option
Hello, as promised, I'm back after the holidays, having done my "self-assigned homework". ;-) On Mon, Dec 22, 2008 at 12:27:59PM +0100, Robert Vogelgesang wrote: > On Fri, Dec 19, 2008 at 06:15:24PM -0500, Dan Williams wrote: > [...] > > > > For minimal impact, I choose to implement the --auth option in the > > > > same way as the --cipher option. Both the "new" --auth and the "old" > > > > --cipher options share the following issues: > > > > > > > > o When a non-default value was saved and you want to switch back > > > > to "Default" later on, then this change does not get saved and > > > > the non-default value remains in the config. > > > > > > > > As far as I understand the plugin code, this issue seems to be > > > > caused by NetworkManager or gconfd, not by the openvpn plugin > > > > (the hash returned by advanced_dialog_new_hash_from_dialog() > > > > does > > > > not contain the --auth/--cipher value when "Default" was > > > > chosen). > > > > > > > > Is this a known issue? (bugzilla.gnome.org didn't show anything > > > > similar for NetworkManager) > > > > That should be handled in nm_gconf_set_stringhash_helper() in > > src/gconf-helpers/gconf-helpers.c, where keys not in the hash table get > > deleted from GConf. If the parameter is the default value, it shouldn't > > show up in GConf at all, as you see by > > advanced_dialog_new_hash_from_dialog() returning a hash table without > > that key in the table. Could you check to see if the non-default value > > key is correctly getting removed from GConf by the code in > > nm_gconf_set_stringhash_helper()? > > I don't know what nm_gconf_set_stringhash_helper() does, but I checked > the xml file written by gconfd in a subdirectory of the user's home. > When setting "auth" or "cipher" to "Default" in the GUI, the previous > value was not removed from that file. > > I will re-check after having upgraded my patch to the freshly > released NetworkManager-openvpn-0.7.0-16.svn4326.fc9, which is first > priority for me now, because after updating all the other > NetworkManager rpms, my VPN connection does no longer work. With NetworkManager-openvpn-0.7.0-16.svn4326.fc9 this issue is gone. > > > > o Openvpn supports these options for both static and TLS modes. > > > > The openvpn plugin for NetworkManager carries the --cipher > > > > option > > > > (and with my patch, the --auth option, too) on the "Certificates > > > > (TLS)" tab of the "advanced" popup, which is only available when > > > > using TLS modes and not when using static keys. > > > > > > > > The easiest fix would be to move the popup-menue(s) > > > > (GtkComboBox) > > > > for --cipher (and --auth) to the "General" tab. A little bit > > > > more > > > > work, but maybe better for future extensions: Introduce a new > > > > tab "Encryption" for these options. What do you think/prefer? > > > > How about we name it "Security" instead? I'd take a good look at a > > patch that did that. > > OK, fine. I've created a patch that does just this, and I'll post it in a few minutes. In a third email I'll send a new version of my patch that implements support for the openvpn --auth option. Robert ___ NetworkManager-list mailing list NetworkManager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: FWD: [PATCH] (Fixed) Support for openvpn --auth option
Hello, On Fri, Dec 19, 2008 at 06:15:24PM -0500, Dan Williams wrote: [...] > (rant) Sensible solutions include a negotiation phase where the client > and server agree on a set of parameters *during the process*. That way, > users don't have to set this crap manually. Apparently, the OpenVPN > developers aren't interested in making their software actually usable. > The number of options is staggering, but worse than that, you have to > know *exactly* how the server is set up to connect, otherwise you simply > fail. That's not how you make usable software. Yes, I hope that we do not have to support each and every openvpn option in the GUI. But we should make sure that each option that _is_ supported in the GUI is also supported when importing openvpn config files (which I did in my patch). [...] > > > For minimal impact, I choose to implement the --auth option in the > > > same way as the --cipher option. Both the "new" --auth and the "old" > > > --cipher options share the following issues: > > > > > > o When a non-default value was saved and you want to switch back > > > to "Default" later on, then this change does not get saved and > > > the non-default value remains in the config. > > > > > > As far as I understand the plugin code, this issue seems to be > > > caused by NetworkManager or gconfd, not by the openvpn plugin > > > (the hash returned by advanced_dialog_new_hash_from_dialog() does > > > not contain the --auth/--cipher value when "Default" was chosen). > > > > > > Is this a known issue? (bugzilla.gnome.org didn't show anything > > > similar for NetworkManager) > > That should be handled in nm_gconf_set_stringhash_helper() in > src/gconf-helpers/gconf-helpers.c, where keys not in the hash table get > deleted from GConf. If the parameter is the default value, it shouldn't > show up in GConf at all, as you see by > advanced_dialog_new_hash_from_dialog() returning a hash table without > that key in the table. Could you check to see if the non-default value > key is correctly getting removed from GConf by the code in > nm_gconf_set_stringhash_helper()? I don't know what nm_gconf_set_stringhash_helper() does, but I checked the xml file written by gconfd in a subdirectory of the user's home. When setting "auth" or "cipher" to "Default" in the GUI, the previous value was not removed from that file. I will re-check after having upgraded my patch to the freshly released NetworkManager-openvpn-0.7.0-16.svn4326.fc9, which is first priority for me now, because after updating all the other NetworkManager rpms, my VPN connection does no longer work. > > > o Openvpn supports these options for both static and TLS modes. > > > The openvpn plugin for NetworkManager carries the --cipher option > > > (and with my patch, the --auth option, too) on the "Certificates > > > (TLS)" tab of the "advanced" popup, which is only available when > > > using TLS modes and not when using static keys. > > > > > > The easiest fix would be to move the popup-menue(s) (GtkComboBox) > > > for --cipher (and --auth) to the "General" tab. A little bit more > > > work, but maybe better for future extensions: Introduce a new > > > tab "Encryption" for these options. What do you think/prefer? > > How about we name it "Security" instead? I'd take a good look at a > patch that did that. OK, fine. > > > > > > > I'm willing to fix the second issue and to do some more research on the > > > first one if there is a real chance that support for the --auth option > > > of openvpn gets accepted into the NetworkManager distribution. ;-) > > Yeah, that would be great if you could. Thanks! > > Dan > As stated above, the next step for me is to get my VPN working again, with Fedora 9 and all current updates. I'll post the new patch as soon as possible, but it may take a week or so, because I will be "offline" during the holidays and possibly the next weekend, too. I see that the latest updates for Fedora 9 and Fedora 10 both have the same version of NetworkManager, so I think that developing with Fedora 9 is good enough. Or is there any NetworkManager-related reason to upgrade first? (i. e. to Fedora 10) Robert ___ NetworkManager-list mailing list NetworkManager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: FWD: [PATCH] (Fixed) Support for openvpn --auth option
On Mon, 2008-11-24 at 22:31 +0100, Robert Vogelgesang wrote: > Hello, > > two weeks ago I posted the attached message to this list. > Since then, I received not a single response. Does really > nobody care? Nobody interested in further development of > the openvpn plugin? No, just tons of stuff to do :) Sorry... see below. > Robert > > email message attachment > > Forwarded Message > > From: Robert Vogelgesang > > To: networkmanager-list@gnome.org > > Subject: [PATCH] (Fixed) Support for openvpn --auth option > > Date: Mon, 10 Nov 2008 00:18:39 +0100 > > > > Hello everybody, > > > > please find attached the second (and fixed) version of my patch to add > > support for the --auth option of openvpn to the NetworkManager-openvpn > > plugin. The patch is against NetworkManager-openvpn-0.7.0-16.svn4027 > > (Fedora 9). (rant) Sensible solutions include a negotiation phase where the client and server agree on a set of parameters *during the process*. That way, users don't have to set this crap manually. Apparently, the OpenVPN developers aren't interested in making their software actually usable. The number of options is staggering, but worse than that, you have to know *exactly* how the server is set up to connect, otherwise you simply fail. That's not how you make usable software. > > My work was triggered by the fact that I tried (and failed) to get a > > "SSL VPN" connection to an Astaro firewall, using Fedora 9. The logs > > showed that Astaro used MD5 HMAC authentication, whereas my Fedora 9 > > system used SHA1 (the default). So I started hacking... > > > > The attached patch is sufficient to get a working "SSL VPN" connection > > to an Astaro firewall. > > > > For minimal impact, I choose to implement the --auth option in the > > same way as the --cipher option. Both the "new" --auth and the "old" > > --cipher options share the following issues: > > > > o When a non-default value was saved and you want to switch back > > to "Default" later on, then this change does not get saved and > > the non-default value remains in the config. > > > > As far as I understand the plugin code, this issue seems to be > > caused by NetworkManager or gconfd, not by the openvpn plugin > > (the hash returned by advanced_dialog_new_hash_from_dialog() does > > not contain the --auth/--cipher value when "Default" was chosen). > > > > Is this a known issue? (bugzilla.gnome.org didn't show anything > > similar for NetworkManager) That should be handled in nm_gconf_set_stringhash_helper() in src/gconf-helpers/gconf-helpers.c, where keys not in the hash table get deleted from GConf. If the parameter is the default value, it shouldn't show up in GConf at all, as you see by advanced_dialog_new_hash_from_dialog() returning a hash table without that key in the table. Could you check to see if the non-default value key is correctly getting removed from GConf by the code in nm_gconf_set_stringhash_helper()? > > o Openvpn supports these options for both static and TLS modes. > > The openvpn plugin for NetworkManager carries the --cipher option > > (and with my patch, the --auth option, too) on the "Certificates > > (TLS)" tab of the "advanced" popup, which is only available when > > using TLS modes and not when using static keys. > > > > The easiest fix would be to move the popup-menue(s) (GtkComboBox) > > for --cipher (and --auth) to the "General" tab. A little bit more > > work, but maybe better for future extensions: Introduce a new > > tab "Encryption" for these options. What do you think/prefer? How about we name it "Security" instead? I'd take a good look at a patch that did that. > > > > I'm willing to fix the second issue and to do some more research on the > > first one if there is a real chance that support for the --auth option > > of openvpn gets accepted into the NetworkManager distribution. ;-) Yeah, that would be great if you could. Thanks! Dan ___ NetworkManager-list mailing list NetworkManager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: FWD: [PATCH] (Fixed) Support for openvpn --auth option
Hello, On Mon, Nov 24, 2008 at 11:31:35PM +0100, Alexander Sack wrote: > On Mon, Nov 24, 2008 at 10:31:13PM +0100, Robert Vogelgesang wrote: > > Hello, > > > > two weeks ago I posted the attached message to this list. > > Since then, I received not a single response. Does really > > nobody care? Nobody interested in further development of > > the openvpn plugin? > > Openvpn improvements and new features are definitly much appreciated > ... its just that NM 0.7 is supposed to be released any day and hence > the tree is pretty much locked down. now that NM 0.7 was released some weeks ago, I still did not receive any feedback regarding my patch and the general issues I found in the openvpn plugin during development of my patch. Please see my email of 10-Nov-2008 to this list. During the upcoming holiday season, I'll update my notebook to Fedora 10, and after that and if time permits, I might update my "--auth option patch" for the NM version of Fedora 10. I don't really need VPNs on my notebook, but this will be the first of my machines that will get Fedora 10. Is anybody interested in an updated patch, or should I better spend my time doing other things? Robert ___ NetworkManager-list mailing list NetworkManager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: FWD: [PATCH] (Fixed) Support for openvpn --auth option
On Mon, Nov 24, 2008 at 10:31:13PM +0100, Robert Vogelgesang wrote: > Hello, > > two weeks ago I posted the attached message to this list. > Since then, I received not a single response. Does really > nobody care? Nobody interested in further development of > the openvpn plugin? Openvpn improvements and new features are definitly much appreciated ... its just that NM 0.7 is supposed to be released any day and hence the tree is pretty much locked down. - Alexander ___ NetworkManager-list mailing list NetworkManager-list@gnome.org http://mail.gnome.org/mailman/listinfo/networkmanager-list
FWD: [PATCH] (Fixed) Support for openvpn --auth option
Hello, two weeks ago I posted the attached message to this list. Since then, I received not a single response. Does really nobody care? Nobody interested in further development of the openvpn plugin? Robert --- Begin Message --- Hello everybody, please find attached the second (and fixed) version of my patch to add support for the --auth option of openvpn to the NetworkManager-openvpn plugin. The patch is against NetworkManager-openvpn-0.7.0-16.svn4027 (Fedora 9). My work was triggered by the fact that I tried (and failed) to get a "SSL VPN" connection to an Astaro firewall, using Fedora 9. The logs showed that Astaro used MD5 HMAC authentication, whereas my Fedora 9 system used SHA1 (the default). So I started hacking... The attached patch is sufficient to get a working "SSL VPN" connection to an Astaro firewall. For minimal impact, I choose to implement the --auth option in the same way as the --cipher option. Both the "new" --auth and the "old" --cipher options share the following issues: o When a non-default value was saved and you want to switch back to "Default" later on, then this change does not get saved and the non-default value remains in the config. As far as I understand the plugin code, this issue seems to be caused by NetworkManager or gconfd, not by the openvpn plugin (the hash returned by advanced_dialog_new_hash_from_dialog() does not contain the --auth/--cipher value when "Default" was chosen). Is this a known issue? (bugzilla.gnome.org didn't show anything similar for NetworkManager) o Openvpn supports these options for both static and TLS modes. The openvpn plugin for NetworkManager carries the --cipher option (and with my patch, the --auth option, too) on the "Certificates (TLS)" tab of the "advanced" popup, which is only available when using TLS modes and not when using static keys. The easiest fix would be to move the popup-menue(s) (GtkComboBox) for --cipher (and --auth) to the "General" tab. A little bit more work, but maybe better for future extensions: Introduce a new tab "Encryption" for these options. What do you think/prefer? I'm willing to fix the second issue and to do some more research on the first one if there is a real chance that support for the --auth option of openvpn gets accepted into the NetworkManager distribution. ;-) Robert diff -u NetworkManager-openvpn-0.7.0/properties/auth-helpers.c.hmacauth NetworkManager-openvpn-0.7.0/properties/auth-helpers.c --- NetworkManager-openvpn-0.7.0/properties/auth-helpers.c.hmacauth 2008-08-29 15:30:50.0 +0200 +++ NetworkManager-openvpn-0.7.0/properties/auth-helpers.c 2008-11-09 21:35:56.0 +0100 @@ -585,6 +585,7 @@ NM_OPENVPN_KEY_TAP_DEV, NM_OPENVPN_KEY_PROTO_TCP, NM_OPENVPN_KEY_CIPHER, + NM_OPENVPN_KEY_AUTH, NM_OPENVPN_KEY_TA_DIR, NM_OPENVPN_KEY_TA, NULL @@ -734,6 +735,50 @@ g_strfreev (items); } +#define HMACAUTH_COL_NAME 0 +#define HMACAUTH_COL_DEFAULT 1 + +static void +populate_hmacauth_combo (GtkComboBox *box, const char *hmacauth) +{ + GtkListStore *store; + GtkTreeIter iter; + gboolean active_initialized = FALSE; + gchar **item; + gchar *items[] = { + NM_OPENVPN_AUTH_NONE, + NM_OPENVPN_AUTH_MD5, + NM_OPENVPN_AUTH_SHA1, + NULL + }; + + store = gtk_list_store_new (2, G_TYPE_STRING, G_TYPE_BOOLEAN); + gtk_combo_box_set_model (box, GTK_TREE_MODEL (store)); + + /* Add default option which won't pass --auth to openvpn */ + gtk_list_store_append (store, &iter); + gtk_list_store_set (store, &iter, + HMACAUTH_COL_NAME, _("Default"), + HMACAUTH_COL_DEFAULT, TRUE, -1); + + /* Add options */ + for (item = items; *item; item++) { + gtk_list_store_append (store, &iter); + gtk_list_store_set (store, &iter, + HMACAUTH_COL_NAME, *item, + HMACAUTH_COL_DEFAULT, FALSE, -1); + if (hmacauth && !strcmp (*item, hmacauth)) { + gtk_combo_box_set_active_iter (box, &iter); + active_initialized = TRUE; + } + } + + if (!active_initialized) + gtk_combo_box_set_active (box, 0); + + g_object_unref (store); +} + static void tls_auth_toggled_cb (GtkWidget *widget, gpointer user_data) { @@ -840,6 +885,10 @@ value = g_hash_table_lookup (hash, NM_OPENVPN_KEY_CIPHER); populate_cipher_combo (GTK_COMBO_BOX (widget), value); + widget = glade_xml_get_widget (xml, "hmacauth_combo"); + value = g_hash_table_lookup (hash, NM_OPENVPN_KEY_AUTH); +