Re: [Openvpn-devel] Enhancements.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 14/09/10 13:37, Gert Doering wrote: > Hi, > > On Tue, Sep 14, 2010 at 11:10:28AM +0200, Jan Just Keijser wrote: >>> if (buf_string_match_head_str (, "AUTH_FAILED")) >>>receive_auth_failed (c, ); >>> else if (buf_string_match_head_str (, "PUSH_")) >>>incoming_push_message (c, ); >>> else if (buf_string_match_head_str (, "RESTART")) >>>server_pushed_restart (c, ); >>> else >>>msg (D_PUSH_ERRORS, "WARNING: Received unknown control >>>message: %s", >>> BSTR ()); >> >> is the control message stage early enough? that means authentication has >> been completed, and the client_connect script has been run (or am I >> mistaken? > > I'm not absolutely sure at what time these messages can be sent. But > most likely you're right, you want this before running client-connect. > > Someone around who fully understands the session flow...? > Taken completely from memory, the PUSH_REQ phase comes in _after_ the authentication process. But, I also believe it comes after OPENVPN_PLUGIN_CLIENT_CONNECT phase, as that plug-in hook can push config settings to the client dynamically. And of the OPENVPN_PLUGIN_CLIENT_CONNECT hook sends a rejection, the connection is dropped. Unless somebody else chimes in before I've been able to double check it, I'll do some more checks here. kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkyPeboACgkQDC186MBRfrrl2wCgqL7uNdJaj2N9nZykQ+rUoo7v Zp0An3c5ICN6Tokyvr7hIrkOYrgsv10R =CX8v -END PGP SIGNATURE-
Re: [Openvpn-devel] Enhancements.
Hi, On Tue, Sep 14, 2010 at 11:10:28AM +0200, Jan Just Keijser wrote: > > if (buf_string_match_head_str (, "AUTH_FAILED")) > >receive_auth_failed (c, ); > > else if (buf_string_match_head_str (, "PUSH_")) > >incoming_push_message (c, ); > > else if (buf_string_match_head_str (, "RESTART")) > >server_pushed_restart (c, ); > > else > >msg (D_PUSH_ERRORS, "WARNING: Received unknown control > >message: %s", > > BSTR ()); > > is the control message stage early enough? that means authentication has > been completed, and the client_connect script has been run (or am I > mistaken? I'm not absolutely sure at what time these messages can be sent. But most likely you're right, you want this before running client-connect. Someone around who fully understands the session flow...? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpKiNolkQAwu.pgp Description: PGP signature
Re: [Openvpn-devel] Enhancements.
Hi, Gert Doering wrote: Hi, On Tue, Sep 14, 2010 at 09:58:19AM +1200, Jason Haar wrote: On 09/14/2010 08:52 AM, Brad Dameron wrote: Also can there be reporting added for the server side to show what version the client is connecting with? I agree. I have previously asked for client version and OS to be "pushed" during the initial phase so that the server can be decisions based on it. As far as I understand the code (check_incoming_control_channel_dowork() in forward.c) this should be doable without breaking compatibility to older servers - new control messages can be added, and a server that does not understand them will just log a warning: ... if (buf_string_match_head_str (, "AUTH_FAILED")) receive_auth_failed (c, ); else if (buf_string_match_head_str (, "PUSH_")) incoming_push_message (c, ); else if (buf_string_match_head_str (, "RESTART")) server_pushed_restart (c, ); else msg (D_PUSH_ERRORS, "WARNING: Received unknown control message: %s", BSTR ()); is the control message stage early enough? that means authentication has been completed, and the client_connect script has been run (or am I mistaken? please correct me if I am wrong). I could foresee that an administrator wants to specify a different client_connect script depending on the client version, or that an administrator wants to not even allow access by older clients (e.g. at the tls-verify level) JM2CW, JJK So... - someone needs to specify the control message - someone needs to implement sending it on the client side - someone needs to think about the planned-usage on the server side (present at management interface? put into environment for scripts/ plugins? if yes, structured environment variables or just one big "lump" with whatever the client puts in there?) - someone needs to implement parsing the control message on the server side and distribute the resulting information to server-side config structures and to plugins/scripts - someone else needs to review and ACK. I'm fairly busy with the IPv6 stuff (and with earning a living), so I won't implement this, but I'm happy to help with it - bounce ideas around, discuss in #openvpn-devel on irc.freenode.net, etc. gert
Re: [Openvpn-devel] Enhancements.
Hi, On Tue, Sep 14, 2010 at 09:58:19AM +1200, Jason Haar wrote: > On 09/14/2010 08:52 AM, Brad Dameron wrote: > > Also can there be reporting added for the server side to show what > > version the client is connecting with? > > I agree. I have previously asked for client version and OS to be > "pushed" during the initial phase so that the server can be decisions > based on it. As far as I understand the code (check_incoming_control_channel_dowork() in forward.c) this should be doable without breaking compatibility to older servers - new control messages can be added, and a server that does not understand them will just log a warning: ... if (buf_string_match_head_str (, "AUTH_FAILED")) receive_auth_failed (c, ); else if (buf_string_match_head_str (, "PUSH_")) incoming_push_message (c, ); else if (buf_string_match_head_str (, "RESTART")) server_pushed_restart (c, ); else msg (D_PUSH_ERRORS, "WARNING: Received unknown control message: %s", BSTR ()); So... - someone needs to specify the control message - someone needs to implement sending it on the client side - someone needs to think about the planned-usage on the server side (present at management interface? put into environment for scripts/ plugins? if yes, structured environment variables or just one big "lump" with whatever the client puts in there?) - someone needs to implement parsing the control message on the server side and distribute the resulting information to server-side config structures and to plugins/scripts - someone else needs to review and ACK. I'm fairly busy with the IPv6 stuff (and with earning a living), so I won't implement this, but I'm happy to help with it - bounce ideas around, discuss in #openvpn-devel on irc.freenode.net, etc. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgppDKWebBrvo.pgp Description: PGP signature
