Re: [Openvpn-devel] openvpn, NTLM and McAfee Web Gateway

[openvpn]

> Hi,
> 
> I read your blog post, interesting stuff. The strings the client sends
> seem to be base64 encoded and the first part on both messages look like
> this (in nano/vi):
> 
> NTLMSSP
> 
> It's followed by this, which is apparently the message type hex string:
> 
> ^@^A^@^@^@
> 
> After this they differ noticeably. I'd guess they are just sending
> different NTLM flags:
> 
> 
> 
> Can somebody more fluent in NTLM protocol decipher these two messages?
> 
> -- 
> Samuli Sepp?nen
> Community Manager
> OpenVPN Technologies, Inc
> 
> irc freenode net: mattock
> 
  
Firefox uses the following flags:
 
#define NTLM_TYPE1_FLAGS  \
(NTLM_NegotiateUnicode |\
NTLM_NegotiateOEM |\
NTLM_RequestTarget |   \
NTLM_NegotiateNTLMKey |\
NTLM_NegotiateAlwaysSign | \
NTLM_NegotiateNTLM2Key)

 
take a look here for more informations: 
 
http://hg.mozilla.org/releases/mozilla-1.9.2/file/d1c0b2c4ac7a/security/manager/ssl/src/nsNTLMAuthModule.cppI
 hope that's may helps.
 
vittorio

[Openvpn-devel] Summary of the IRC meeting (14th Oct 2010)

[Samuli Seppänen]

Hi,

Here's the summary of the previous community meeting.

---

COMMUNITY MEETING

Place: #openvpn-devel on irc.freenode.net
List-Post: openvpn-devel@lists.sourceforge.net
Date: Thursday, 14th Oct 2010
Time: 18:00 UTC

Planned meeting topics for this meeting were on this page:



Next meeting will be announced in advance, but will be on the same
weekday and at the same time. Your local meeting time is easy to check
from services such as



or with

$ date -u


SUMMARY

Mattock gave a brief update on buildbot's current status. The idea was
that a mail to openvpn-commits list would trigger a build on all
buildslaves. Everything works fine, except that buildbot is
(surprisingly) lacking a Git commit email parser. Mattock will try to
write one based on existing ones and if that fails, he'll upgrade
buildbot and use the new GitPoller instead.

--

Mattock gave an update on status of the public test server. He received
the credentials and already installed some software on it. Further work
on it will be postponed until buildbot work is finished.

--

Discussed the OpenVPN 2.1.3 installer for Windows 2000. There have been
a few queries regarding it, and it's already available here:



It was decided earlier to support Win2k on OpenVPN 2.1.3 but not on
subsequent releases:



Mattock asked jamesyonan to sign the installer so that it can be added
to the official download page.

--

Discussed the "Support SOCKS plain text authentication" patch:



Decided to merge the patch into the git repository. However, later the
whole socks.c would require cleaning up, e.g. to replace the raw hex
message codes with macros.

--

Discussed the "HTTP/1.1 Host header" patch:



It has been ACK'd by several people and is on it's way to the git
repository.

--

Discussed the "dynamic-Iroute config option for automatic iroutes" patch:



There were a few concerns regarding this patch:

a) Possibility of routing loops, e.g. if there are two mesh networks
with a double-IP-used conflict, one could end up in endless "ip route
add" / "ip route del" switching.

b) The patch should be rebased against the bugfix2.1 branch

c) It should be possible to #ifdef out the core dynamic-iroute code

d) An extra argument is added to multi_get_instance_by_virtual_addr()

It was suggested that if a), b) and c) are sorted out, this patch could
go into it's own git branch and be tested there. Later it could be
merged into main development code.

Mattock agreed to contact the patch author about these issues.

--

Discussed integrating Coverity code analysis tool into buildbot.
Jamesyonan told that we have license to use their tools. Unlike many OSS
projects, our license _is not_ tied to their "Scan" project:



Jamesyonan agreed to send mattock the necessary details so that Coverity
analysis can be integrated into the build process (or buildbot).

---

Full chatlog as an attachment

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock
(21:04:18) mattock: topic list is here: 
https://community.openvpn.net/openvpn/wiki/Topics-2010-10-14
(21:04:20) vpnHelper: Title: Topics-2010-10-14 – OpenVPN Community (at 
community.openvpn.net)
(21:04:27) mattock: I'll mail james now
(21:06:31) mattock: ok, sent
(21:06:52) mattock: perhaps I'll give a brief update on buildbot and the public 
test server
(21:06:53) mattock: ?
(21:07:10) dazo: +1
(21:07:34) krzee: pls do
(21:07:36) mattock: okey dokey
(21:07:58) mattock: so buildbot first... I was thinking that I could make 
everything work smoothly by the end of this week
(21:08:10) krzee: even windows?
(21:08:25) mattock: the idea was that a mail to openvpn-commits would trigger a 
build on all buildslaves
(21:08:38) cron2: +1 :)
(21:08:39) mattock: krzee: no :)
(21:09:07) mattock: so everything went fine, e.g. getting mail to the 
buildmaster account in correct format
(21:09:20) mattock: then I noticed that there is no Git commit email parser in 
buildbot
(21:09:43) mattock: modifying one of the existing ones (e.g. Bzr, launchpad) 
should be relatively easy
(21:09:57) mattock: so I'll probably do that... sent mail to buildbot-devel 
about that
(21:10:12) mattock: if that fails, I can update buildbot and use the s.c. 
GitPoller which polls the repository for changes
(21:10:47) mattock: besides that, buildbot is ready for some real work
(21:11:21) mattock: and then the test server
(21:12:10) mattock: I got the credentials and started configuring it today... 
nothing fancy yet, just some software installs
(21:12:44) mattock: I'll try to get one thing finished at a time (buildbot 
first, then test serv

Re: [Openvpn-devel] openvpn, NTLM and McAfee Web Gateway

[Samuli Seppänen]

> dear all,
>
> a few days ago I deployed an ovpn solution in a medium sized company.
> One of the two ends of the vpn network is passing through a proxy with
> NTLM authentication. ovpn has problems to recognize the authentication
> because immediately after sending the message type 1, the proxy sends
> no response, so I had to modify the source code by replacing the
> current message with a similar but different one.
>
> in particular this one:
>
> TlRMTVNTUAABAgIAAA==
>
>
> become:
>
> TlRMTVNTUAABB4IIogAFASgKDw==
>
>
> A detail of the work is available at:
>
> http://www.morzello.com/?p=350 (in Italian).
>
> I was wondering if you could have a function that supports this type
> of proxy (such as McAfee Web Gateway).
>
> thank you very much.
Hi,

I read your blog post, interesting stuff. The strings the client sends
seem to be base64 encoded and the first part on both messages look like
this (in nano/vi):

NTLMSSP

It's followed by this, which is apparently the message type hex string:

^@^A^@^@^@

After this they differ noticeably. I'd guess they are just sending
different NTLM flags:



Can somebody more fluent in NTLM protocol decipher these two messages?

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock