Re: [Openvpn-devel] Question about TCP forking server

[James Yonan]

Juan Rodriguez Hervella  said:

> Hello,
> 
> I've just realized that openVPN-1.6rc1 only supports 
> "inetd nowait" for the TLS case.
> 
> I understand that it is not possible to have "nowait" behaviour
> for multiple clients with different secrets, but it would be still possible
> to have "nowait" functionality + a single secret. Every client should
> have the same secret key which is not a good way of having security,
> but anyway...this could be a warning instead of the current message:
> "nowait functionality is only allowed for TLS". 

That's a good point, though I would argue that (a) static key sharing across
different tunnels isn't such a good idea and (b) it's easy to patch if you
don't care about the security implications.

> Even if you don't want cryptography at all, the forking server is
> an interesting feature that should be let available, imho.

2.0 will have a better arsenal of multi-client server capabilities, and for
now I'm not too keen on supporting --inetd nowait aside from the special case
that it was designed for which is TLS security over a tap interface.

James

[Openvpn-devel] Question about TCP forking server

[Juan Rodriguez Hervella]

Hello,

I've just realized that openVPN-1.6rc1 only supports 
"inetd nowait" for the TLS case.

I understand that it is not possible to have "nowait" behaviour
for multiple clients with different secrets, but it would be still possible
to have "nowait" functionality + a single secret. Every client should
have the same secret key which is not a good way of having security,
but anyway...this could be a warning instead of the current message:
"nowait functionality is only allowed for TLS".

Even if you don't want cryptography at all, the forking server is
an interesting feature that should be let available, imho.

PS: I'm having problems to subscribe to the list, so CC to me
off-list. Thank you !

-- 
**
JFRH
**