[Openvpn-devel] [PATCH] Remove dependency on mbed TLS PKCS#11 module

2017-09-11 Thread Steffan Karger 
Hi,

The following three patches remove our dependency on the mbed TLS
PKCS#11 module.  While doing so, this adds better error reporting and
still manages to barely add any lines of code.

Not depending on the mbed TLS PKCS#11 module is good, because mbed TLS
has the PKCS#11 module disabled by default.  So this makes it easier to
use e.g. a distro-provided mbed TLS library.  Also, this makes it easier
to move away from pkcs11-helper should we want to go that way.

-Steffan


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 3/3] mbedtls: remove dependency on mbedtls pkcs11 module

2017-09-11 Thread Steffan Karger 
Instead of using mbedtls's pkcs11 module, reuse the code we already have
for management-external-key to also do pkcs11 signatures.  As far as mbed
is concerned, we simply provide an external signature.

This has the following advantages:
 * We no longer need mbed TLS to be compiled with the pkcs11 modules
   enabled (which is not enabled by default).  This makes it easier to use
   a system/distribution-provided mbed shared library.
 * We no longer have a dependency on pkcs11-helper through mbed TLS.  So if
   we want to migrate to some other pkcs11 lib (see e.g. trac #491, #538
   and #549 for reason why), this will be easier.

While touching this code, switch from M_FATAL to M_WARN and proper error
handling.  This improves the error reporting, and helps prevent potential
future DoS attacks if someone starts using these functions on peer input.

Signed-off-by: Steffan Karger 
---
 configure.ac | 29 ---
 src/openvpn/pkcs11_mbedtls.c | 87 +---
 src/openvpn/ssl_mbedtls.c|  7 +---
 src/openvpn/ssl_mbedtls.h|  6 +--
 4 files changed, 62 insertions(+), 67 deletions(-)

diff --git a/configure.ac b/configure.ac
index 6f1044e..50d0352 100644
--- a/configure.ac
+++ b/configure.ac
@@ -992,35 +992,6 @@ elif test "${enable_crypto}" = "yes" -a 
"${with_crypto_library}" = "mbedtls"; th
[AC_MSG_ERROR([mbed TLS 2.y.z required])]
)
 
-   mbedtls_with_pkcs11="no"
-   AC_COMPILE_IFELSE(
-   [AC_LANG_PROGRAM(
-   [[
-#include 
-   ]],
-   [[
-#ifndef MBEDTLS_PKCS11_C
-#error pkcs11 wrapper missing
-#endif
-   ]]
-   )],
-   mbedtls_with_pkcs11="yes")
-
-   AC_MSG_CHECKING([mbedtls pkcs11 support])
-   if test "${enable_pkcs11}" = "yes"; then
-   if test "${mbedtls_with_pkcs11}" = "yes"; then
-   AC_MSG_RESULT([ok])
-   else
-   AC_MSG_ERROR([mbedtls has no pkcs11 wrapper compiled 
in])
-   fi
-   else
-   if test "${mbedtls_with_pkcs11}" != "yes"; then
-   AC_MSG_RESULT([ok])
-   else
-   AC_MSG_ERROR([mbed TLS compiled with PKCS11, while 
OpenVPN is not])
-   fi
-   fi
-
have_crypto_aead_modes="yes"
AC_CHECK_FUNCS(
[ \
diff --git a/src/openvpn/pkcs11_mbedtls.c b/src/openvpn/pkcs11_mbedtls.c
index 45372e4..12109cf 100644
--- a/src/openvpn/pkcs11_mbedtls.c
+++ b/src/openvpn/pkcs11_mbedtls.c
@@ -39,60 +39,89 @@
 #include "errlevel.h"
 #include "pkcs11_backend.h"
 #include "ssl_verify_backend.h"
-#include 
 #include 
 
-int
-pkcs11_init_tls_session(pkcs11h_certificate_t certificate,
-struct tls_root_ctx *const ssl_ctx)
+static bool
+pkcs11_get_x509_cert(pkcs11h_certificate_t pkcs11_cert, mbedtls_x509_crt *cert)
 {
-int ret = 1;
+unsigned char *cert_blob = NULL;
+size_t cert_blob_size = 0;
+bool ret = false;
 
-ASSERT(NULL != ssl_ctx);
-
-ALLOC_OBJ_CLEAR(ssl_ctx->crt_chain, mbedtls_x509_crt);
-if (mbedtls_pkcs11_x509_cert_bind(ssl_ctx->crt_chain, certificate))
+if (pkcs11h_certificate_getCertificateBlob(pkcs11_cert, NULL,
+   _blob_size) != CKR_OK)
 {
-msg(M_FATAL, "PKCS#11: Cannot retrieve mbed TLS certificate object");
+msg(M_WARN, "PKCS#11: Cannot retrieve certificate object size");
 goto cleanup;
 }
 
-ALLOC_OBJ_CLEAR(ssl_ctx->priv_key_pkcs11, mbedtls_pkcs11_context);
-if (mbedtls_pkcs11_priv_key_bind(ssl_ctx->priv_key_pkcs11, certificate))
+check_malloc_return((cert_blob = calloc(1, cert_blob_size)));
+if (pkcs11h_certificate_getCertificateBlob(pkcs11_cert, cert_blob,
+   _blob_size) != CKR_OK)
 {
-msg(M_FATAL, "PKCS#11: Cannot initialize mbed TLS private key object");
+msg(M_WARN, "PKCS#11: Cannot retrieve certificate object");
 goto cleanup;
 }
 
-ALLOC_OBJ_CLEAR(ssl_ctx->priv_key, mbedtls_pk_context);
-if (!mbed_ok(mbedtls_pk_setup_rsa_alt(ssl_ctx->priv_key,
-  ssl_ctx->priv_key_pkcs11, 
mbedtls_ssl_pkcs11_decrypt,
-  mbedtls_ssl_pkcs11_sign, 
mbedtls_ssl_pkcs11_key_len)))
+if (!mbed_ok(mbedtls_x509_crt_parse(cert, cert_blob, cert_blob_size)))
 {
+msg(M_WARN, "PKCS#11: Could not parse certificate");
 goto cleanup;
 }
 
-ret = 0;
-
+ret = true;
 cleanup:
+free(cert_blob);
 return ret;
 }
 
+static bool
+pkcs11_sign(void *pkcs11_cert, const void *src, size_t src_len,
+void *dst, size_t dst_len)
+{
+return CKR_OK == pkcs11h_certificate_signAny(pkcs11_cert, CKM_RSA_PKCS,
+

[Openvpn-devel] [PATCH 2/3] mbedtls: make external signing code generic

2017-09-11 Thread Steffan Karger 
This prepares for reusing this code from the mbedtls pkcs11 implementation.
The change itself should not have any functional impact.

Signed-off-by: Steffan Karger 
---
 src/openvpn/ssl_mbedtls.c | 115 --
 src/openvpn/ssl_mbedtls.h |  41 +++--
 2 files changed, 98 insertions(+), 58 deletions(-)

diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index 6d023af..0cf89a8 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -146,12 +146,6 @@ tls_ctx_free(struct tls_root_ctx *ctx)
 free(ctx->priv_key_pkcs11);
 }
 #endif
-#if defined(MANAGMENT_EXTERNAL_KEY)
-if (ctx->external_key != NULL)
-{
-free(ctx->external_key);
-}
-#endif
 
 if (ctx->allowed_ciphers)
 {
@@ -413,13 +407,6 @@ tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const 
char *priv_key_file,
 return 0;
 }
 
-#ifdef MANAGMENT_EXTERNAL_KEY
-
-
-struct external_context {
-size_t signature_length;
-};
-
 /**
  * external_pkcs1_sign implements a mbed TLS rsa_sign_func callback, that uses
  * the management interface to request an RSA signature for the supplied hash.
@@ -446,11 +433,9 @@ external_pkcs1_sign( void *ctx_voidptr,
  unsigned char *sig )
 {
 struct external_context *const ctx = ctx_voidptr;
-char *in_b64 = NULL;
-char *out_b64 = NULL;
 int rv;
-unsigned char *p = sig;
-size_t asn_len = 0, oid_size = 0, sig_len = 0;
+uint8_t *to_sign = NULL;
+size_t asn_len = 0, oid_size = 0;
 const char *oid = NULL;
 
 if (NULL == ctx)
@@ -486,12 +471,14 @@ external_pkcs1_sign( void *ctx_voidptr,
 asn_len = 10 + oid_size;
 }
 
-sig_len = ctx->signature_length;
-if ( (SIZE_MAX - hashlen) < asn_len || (hashlen + asn_len) > sig_len)
+if ((SIZE_MAX - hashlen) < asn_len
+|| ctx->signature_length < (asn_len + hashlen))
 {
 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
 }
 
+ALLOC_ARRAY_CLEAR(to_sign, uint8_t, asn_len + hashlen);
+uint8_t *p = to_sign;
 if (md_alg != MBEDTLS_MD_NONE)
 {
 /*
@@ -516,34 +503,16 @@ external_pkcs1_sign( void *ctx_voidptr,
 *p++ = MBEDTLS_ASN1_OCTET_STRING;
 *p++ = hashlen;
 
-/* Determine added ASN length */
-asn_len = p - sig;
+/* Double-check ASN length */
+ASSERT(asn_len == p - to_sign);
 }
 
 /* Copy the hash to be signed */
-memcpy( p, hash, hashlen );
-
-/* convert 'from' to base64 */
-if (openvpn_base64_encode(sig, asn_len + hashlen, _b64) <= 0)
-{
-rv = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
-goto done;
-}
+memcpy(p, hash, hashlen);
 
-/* call MI for signature */
-if (management)
-{
-out_b64 = management_query_rsa_sig(management, in_b64);
-}
-if (!out_b64)
-{
-rv = MBEDTLS_ERR_RSA_PRIVATE_FAILED;
-goto done;
-}
-
-/* decode base64 signature to binary and verify length */
-if (openvpn_base64_decode(out_b64, sig, ctx->signature_length) !=
-ctx->signature_length)
+/* Call external signature function */
+if (!ctx->sign(ctx->sign_ctx, to_sign, asn_len + hashlen, sig,
+   ctx->signature_length))
 {
 rv = MBEDTLS_ERR_RSA_PRIVATE_FAILED;
 goto done;
@@ -552,14 +521,7 @@ external_pkcs1_sign( void *ctx_voidptr,
 rv = 0;
 
 done:
-if (in_b64)
-{
-free(in_b64);
-}
-if (out_b64)
-{
-free(out_b64);
-}
+free(to_sign);
 return rv;
 }
 
@@ -572,7 +534,8 @@ external_key_len(void *vctx)
 }
 
 int
-tls_ctx_use_management_external_key(struct tls_root_ctx *ctx)
+tls_ctx_use_external_signing_func(struct tls_root_ctx *ctx,
+  external_sign_func sign_func, void *sign_ctx)
 {
 ASSERT(NULL != ctx);
 
@@ -582,11 +545,12 @@ tls_ctx_use_management_external_key(struct tls_root_ctx 
*ctx)
 return 0;
 }
 
-ALLOC_OBJ_CLEAR(ctx->external_key, struct external_context);
-ctx->external_key->signature_length = 
mbedtls_pk_get_len(>crt_chain->pk);
+ctx->external_key.signature_length = 
mbedtls_pk_get_len(>crt_chain->pk);
+ctx->external_key.sign = sign_func;
+ctx->external_key.sign_ctx = sign_ctx;
 
 ALLOC_OBJ_CLEAR(ctx->priv_key, mbedtls_pk_context);
-if (!mbed_ok(mbedtls_pk_setup_rsa_alt(ctx->priv_key, ctx->external_key,
+if (!mbed_ok(mbedtls_pk_setup_rsa_alt(ctx->priv_key, >external_key,
   NULL, external_pkcs1_sign, 
external_key_len)))
 {
 return 0;
@@ -594,6 +558,47 @@ tls_ctx_use_management_external_key(struct tls_root_ctx 
*ctx)
 
 return 1;
 }
+
+#ifdef MANAGMENT_EXTERNAL_KEY
+
+/** Query the management interface for a signature, see external_sign_func. */
+static bool
+management_sign_func(void *sign_ctx, const void *src, size_t src_len,
+

[Openvpn-devel] [PATCH 1/3] Do not load certificate from tls_ctx_use_external_private_key()

2017-09-11 Thread Steffan Karger 
The cert and key loading logic surrounding management-external-key and
management-external cert was somewhat intertwined.  Untangle these to
prepare for making the external key code more reusable.

The best part is that this even reduces the number of lines of code.

Signed-off-by: Steffan Karger 
---
 src/openvpn/ssl.c | 48 +++--
 src/openvpn/ssl_backend.h | 15 +++
 src/openvpn/ssl_mbedtls.c |  6 ++---
 src/openvpn/ssl_openssl.c | 68 +--
 4 files changed, 58 insertions(+), 79 deletions(-)

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index cb94229..4582454 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -649,41 +649,37 @@ init_ssl(const struct options *options, struct 
tls_root_ctx *new_ctx)
 }
 #endif
 #ifdef MANAGMENT_EXTERNAL_KEY
-else if ((options->management_flags & MF_EXTERNAL_KEY)
- && (options->cert_file || options->management_flags & 
MF_EXTERNAL_CERT))
+else if (options->management_flags & MF_EXTERNAL_CERT)
 {
-if (options->cert_file)
-{
-tls_ctx_use_external_private_key(new_ctx, options->cert_file,
- options->cert_file_inline);
-}
-else
-{
-char *external_certificate = management_query_cert(management,
-   
options->management_certificate);
-tls_ctx_use_external_private_key(new_ctx, INLINE_FILE_TAG,
- external_certificate);
-free(external_certificate);
-}
+char *cert = management_query_cert(management,
+   options->management_certificate);
+tls_ctx_load_cert_file(new_ctx, INLINE_FILE_TAG, cert);
+free(cert);
 }
 #endif
-else
+else if (options->cert_file)
+{
+tls_ctx_load_cert_file(new_ctx, options->cert_file, 
options->cert_file_inline);
+}
+
+if (options->priv_key_file)
 {
-/* Load Certificate */
-if (options->cert_file)
+if (0 != tls_ctx_load_priv_file(new_ctx, options->priv_key_file,
+options->priv_key_file_inline))
 {
-tls_ctx_load_cert_file(new_ctx, options->cert_file, 
options->cert_file_inline);
+goto err;
 }
-
-/* Load Private Key */
-if (options->priv_key_file)
+}
+#ifdef MANAGMENT_EXTERNAL_KEY
+else if (options->management_flags & MF_EXTERNAL_KEY)
+{
+if (!tls_ctx_use_management_external_key(new_ctx))
 {
-if (0 != tls_ctx_load_priv_file(new_ctx, options->priv_key_file, 
options->priv_key_file_inline))
-{
-goto err;
-}
+msg (M_WARN, "Cannot initialize mamagement-external-key");
+goto err;
 }
 }
+#endif
 
 if (options->ca_file || options->ca_path)
 {
diff --git a/src/openvpn/ssl_backend.h b/src/openvpn/ssl_backend.h
index aba5a4d..6fa885d 100644
--- a/src/openvpn/ssl_backend.h
+++ b/src/openvpn/ssl_backend.h
@@ -259,8 +259,7 @@ void tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const 
char *cert_file,
  *  successful.
  */
 int tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file,
-   const char *priv_key_file_inline
-   );
+   const char *priv_key_file_inline);
 
 #ifdef MANAGMENT_EXTERNAL_KEY
 
@@ -269,18 +268,12 @@ int tls_ctx_load_priv_file(struct tls_root_ctx *ctx, 
const char *priv_key_file,
  * private key matching the given certificate.
  *
  * @param ctx   TLS context to use
- * @param cert_file The file name to load the certificate from, or
- *  "[[INLINE]]" in the case of inline files.
- * @param cert_file_inline  A string containing the certificate
  *
- * @return  1 if an error occurred, 0 if parsing was
- *  successful.
+ * @return  1 if an error occurred, 0 if successful.
  */
-int tls_ctx_use_external_private_key(struct tls_root_ctx *ctx,
- const char *cert_file, const char 
*cert_file_inline);
-
-#endif
+int tls_ctx_use_management_external_key(struct tls_root_ctx *ctx);
 
+#endif /* MANAGMENT_EXTERNAL_KEY */
 
 /**
  * Load certificate authority certificates from the given file or path.
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index 861d936..6d023af 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -572,15 +572,13 @@ external_key_len(void *vctx)
 }
 
 int
-tls_ctx_use_external_private_key(struct tls_root_ctx *ctx,
- const char *cert_file, const char 
*cert_file_inline)

Re: [Openvpn-devel] Topics for tomorrow's (Tue, 12th Sep 2017) community meeting

2017-09-11 Thread Antonio Quartulli 


On 11/09/17 21:02, David Sommerseth wrote:
> On 11/09/17 13:14, Samuli Seppänen wrote:
>> Hi,
>>
>> We're going to have an IRC meeting tomorrow starting at 20:00 CEST
>> (18:00 UTC) on #openvpn-meeting  irc.freenode.net. You do not have
>> to be logged in to Freenode to join the channel.
> 
> If we can slide this to 20:30-ish (CEST) - that is, delay it 30 minutes.
>  It will be far easier for both Gert and me to join the meeting. 


That's fine with me



-- 
Antonio Quartulli



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] proper configuring of "tls-verify"

2017-09-11 Thread Илья Шипицин 
2017-09-11 17:30 GMT+05:00 David Sommerseth <
open...@sf.lists.topphemmelig.net>:

> On 11/09/17 14:02, Илья Шипицин wrote:
> >
> >
> > 2017-09-11 16:54 GMT+05:00 Илья Шипицин  > >:
> >
> >
> >
> > 2017-09-11 16:45 GMT+05:00 Jan Just Keijser  > >:
> >
> > Hi,
> >
> > On 11/09/17 13:22, Илья Шипицин wrote:
> >
> > Hello,
> >
> > is someone actually using "tls-verify" in production ?
> > we tried to implement additional certificate check using
> > tls-verify
> >
> >
> > while it works in general, in case when it hits "exit 1", it
> > look like a timeout from client point of view. it is not any
> > good
> >
> >
> > do you mean that when a client is denied access (i.e. the
> > tls-verify script exits 1 on the server) that the client sees
> > this as a timeout?  that is "normal" behaviour, as the server
> > does not tell the client *WHY* access is refused - it simply
> > stop responding to a client that does not pass
> > authentication/authorization. The client will not hear from the
> > server, and will time out after a specified interval.  This is
> > actually the most secure way to do things, as a rogue client
> > cannot DoS a server this way.
> >
> >
> > I'd say it depends.
> >
> > we run a lot of openvpn-gui with real people sitting in front of
> > them, from their point of view it "oh, it does not work! fix it!"
> > in out case better UX is to deliver proper reason to the client
> >
> > for someone maybe the better UX is to keep silence
> >
> >
> >
> > what is wrong with timeout is endless retry.
> > there's no way to pass authentication once it failed, so why does client
> > have to retry ?
>
> User-friendliness and security seldom walks hand-in-hand.  As this
> friendliness provides enough information fragments for an attacker to
> figure out "I need to try something else".  A non-responding server
> gives no clues.  It can be a crappy server or it can be access denied;
> the attacker doesn't know - thus making it harder to figure out what to
> do next.
>


an attacker can brute force a password, for example.
but what do you mean "to try next" in case of ssl certificate ?


>
> The client will by default try to reconnect, because that is what it in
> most cases is told to do when the server is unresponsive.  And since
> this happens with many seconds in between, a single client will not
> attempt to DoS a server by mistake by retrying in a too tight loop.
>
> A failed authentication is a failed authentication.  Thus UX client
> front-ends could treat this silence like that - but also account for
> other types of connectivity issues.  If it should try to reconnect or
> not, well, that's entirely up to the configuration file.   There is
> --single-session which can be used to control this.
>
> But for servers running OpenVPN clients, retrying indefinitely at
>

if retry might be successful, yes.
if authentication failed - no


> regular intervals may just as well be valuable; if it is an issue which
> is temporary.  Then these clients would reconnect once everything is
> back online again on the server side.
>
>
> --
> kind regards,
>
> David Sommerseth
> OpenVPN Technologies, Inc
>
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Topics for tomorrow's (Tue, 12th Sep 2017) community meeting

2017-09-11 Thread David Sommerseth 
On 11/09/17 13:14, Samuli Seppänen wrote:
> Hi,
> 
> We're going to have an IRC meeting tomorrow starting at 20:00 CEST
> (18:00 UTC) on #openvpn-meeting  irc.freenode.net. You do not have
> to be logged in to Freenode to join the channel.

If we can slide this to 20:30-ish (CEST) - that is, delay it 30 minutes.
 It will be far easier for both Gert and me to join the meeting.  (We
just quickly chatted about it on IRC).  If not, we'll come as quickly as
we can manage.


-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] proper configuring of "tls-verify"

2017-09-11 Thread Arne Schwabe 
Am 11.09.17 um 14:30 schrieb David Sommerseth:
> On 11/09/17 14:02, Илья Шипицин wrote:
>>
>>
>> 2017-09-11 16:54 GMT+05:00 Илья Шипицин > >:
>>
>>
>>
>> 2017-09-11 16:45 GMT+05:00 Jan Just Keijser > >:
>>
>> Hi,
>>
>> On 11/09/17 13:22, Илья Шипицин wrote:
>>
>> Hello,
>>
>> is someone actually using "tls-verify" in production ?
>> we tried to implement additional certificate check using
>> tls-verify
>>
>>
>> while it works in general, in case when it hits "exit 1", it
>> look like a timeout from client point of view. it is not any
>> good
>>
>>
>> do you mean that when a client is denied access (i.e. the
>> tls-verify script exits 1 on the server) that the client sees
>> this as a timeout?  that is "normal" behaviour, as the server
>> does not tell the client *WHY* access is refused - it simply
>> stop responding to a client that does not pass
>> authentication/authorization. The client will not hear from the
>> server, and will time out after a specified interval.  This is
>> actually the most secure way to do things, as a rogue client
>> cannot DoS a server this way.
>>
>>
>> I'd say it depends.
>>
>> we run a lot of openvpn-gui with real people sitting in front of
>> them, from their point of view it "oh, it does not work! fix it!"
>> in out case better UX is to deliver proper reason to the client
>>
>> for someone maybe the better UX is to keep silence
>>
>>
>>
>> what is wrong with timeout is endless retry.
>> there's no way to pass authentication once it failed, so why does client
>> have to retry ?
> 
> User-friendliness and security seldom walks hand-in-hand.  As this
> friendliness provides enough information fragments for an attacker to
> figure out "I need to try something else".  A non-responding server
> gives no clues.  It can be a crappy server or it can be access denied;
> the attacker doesn't know - thus making it harder to figure out what to
> do next.
> 
> The client will by default try to reconnect, because that is what it in
> most cases is told to do when the server is unresponsive.  And since
> this happens with many seconds in between, a single client will not
> attempt to DoS a server by mistake by retrying in a too tight loop.
> 
> A failed authentication is a failed authentication.  Thus UX client
> front-ends could treat this silence like that - but also account for
> other types of connectivity issues.  If it should try to reconnect or
> not, well, that's entirely up to the configuration file.   There is
> --single-session which can be used to control this.
> 
> But for servers running OpenVPN clients, retrying indefinitely at
> regular intervals may just as well be valuable; if it is an issue which
> is temporary.  Then these clients would reconnect once everything is
> back online again on the server side.
> 


Also you can limit the number of unsucessfull retries in OpenVPN with
the connnect-retry option.

Arne

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] proper configuring of "tls-verify"

2017-09-11 Thread David Sommerseth 
On 11/09/17 14:02, Илья Шипицин wrote:
> 
> 
> 2017-09-11 16:54 GMT+05:00 Илья Шипицин  >:
> 
> 
> 
> 2017-09-11 16:45 GMT+05:00 Jan Just Keijser  >:
> 
> Hi,
> 
> On 11/09/17 13:22, Илья Шипицин wrote:
> 
> Hello,
> 
> is someone actually using "tls-verify" in production ?
> we tried to implement additional certificate check using
> tls-verify
> 
> 
> while it works in general, in case when it hits "exit 1", it
> look like a timeout from client point of view. it is not any
> good
> 
> 
> do you mean that when a client is denied access (i.e. the
> tls-verify script exits 1 on the server) that the client sees
> this as a timeout?  that is "normal" behaviour, as the server
> does not tell the client *WHY* access is refused - it simply
> stop responding to a client that does not pass
> authentication/authorization. The client will not hear from the
> server, and will time out after a specified interval.  This is
> actually the most secure way to do things, as a rogue client
> cannot DoS a server this way.
> 
> 
> I'd say it depends.
> 
> we run a lot of openvpn-gui with real people sitting in front of
> them, from their point of view it "oh, it does not work! fix it!"
> in out case better UX is to deliver proper reason to the client
> 
> for someone maybe the better UX is to keep silence
> 
> 
> 
> what is wrong with timeout is endless retry.
> there's no way to pass authentication once it failed, so why does client
> have to retry ?

User-friendliness and security seldom walks hand-in-hand.  As this
friendliness provides enough information fragments for an attacker to
figure out "I need to try something else".  A non-responding server
gives no clues.  It can be a crappy server or it can be access denied;
the attacker doesn't know - thus making it harder to figure out what to
do next.

The client will by default try to reconnect, because that is what it in
most cases is told to do when the server is unresponsive.  And since
this happens with many seconds in between, a single client will not
attempt to DoS a server by mistake by retrying in a too tight loop.

A failed authentication is a failed authentication.  Thus UX client
front-ends could treat this silence like that - but also account for
other types of connectivity issues.  If it should try to reconnect or
not, well, that's entirely up to the configuration file.   There is
--single-session which can be used to control this.

But for servers running OpenVPN clients, retrying indefinitely at
regular intervals may just as well be valuable; if it is an issue which
is temporary.  Then these clients would reconnect once everything is
back online again on the server side.


-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] proper configuring of "tls-verify"

2017-09-11 Thread Илья Шипицин 
2017-09-11 16:54 GMT+05:00 Илья Шипицин :

>
>
> 2017-09-11 16:45 GMT+05:00 Jan Just Keijser :
>
>> Hi,
>>
>> On 11/09/17 13:22, Илья Шипицин wrote:
>>
>>> Hello,
>>>
>>> is someone actually using "tls-verify" in production ?
>>> we tried to implement additional certificate check using tls-verify
>>>
>>>
>>> while it works in general, in case when it hits "exit 1", it look like a
>>> timeout from client point of view. it is not any good
>>>
>>
>> do you mean that when a client is denied access (i.e. the tls-verify
>> script exits 1 on the server) that the client sees this as a timeout?  that
>> is "normal" behaviour, as the server does not tell the client *WHY* access
>> is refused - it simply stop responding to a client that does not pass
>> authentication/authorization. The client will not hear from the server, and
>> will time out after a specified interval.  This is actually the most secure
>> way to do things, as a rogue client cannot DoS a server this way.
>>
>
> I'd say it depends.
>
> we run a lot of openvpn-gui with real people sitting in front of them,
> from their point of view it "oh, it does not work! fix it!"
> in out case better UX is to deliver proper reason to the client
>
> for someone maybe the better UX is to keep silence
>


what is wrong with timeout is endless retry.
there's no way to pass authentication once it failed, so why does client
have to retry ?


>
>
> while I think "exit 1" will not be the most common case (it is rather an
> exception), we'd like to deliver better UX to people
>
>
>
>>
>> HTH,
>>
>> JJK
>>
>>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] proper configuring of "tls-verify"

2017-09-11 Thread Илья Шипицин 
2017-09-11 16:45 GMT+05:00 Jan Just Keijser :

> Hi,
>
> On 11/09/17 13:22, Илья Шипицин wrote:
>
>> Hello,
>>
>> is someone actually using "tls-verify" in production ?
>> we tried to implement additional certificate check using tls-verify
>>
>>
>> while it works in general, in case when it hits "exit 1", it look like a
>> timeout from client point of view. it is not any good
>>
>
> do you mean that when a client is denied access (i.e. the tls-verify
> script exits 1 on the server) that the client sees this as a timeout?  that
> is "normal" behaviour, as the server does not tell the client *WHY* access
> is refused - it simply stop responding to a client that does not pass
> authentication/authorization. The client will not hear from the server, and
> will time out after a specified interval.  This is actually the most secure
> way to do things, as a rogue client cannot DoS a server this way.
>

I'd say it depends.

we run a lot of openvpn-gui with real people sitting in front of them, from
their point of view it "oh, it does not work! fix it!"
in out case better UX is to deliver proper reason to the client

for someone maybe the better UX is to keep silence


while I think "exit 1" will not be the most common case (it is rather an
exception), we'd like to deliver better UX to people



>
> HTH,
>
> JJK
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] proper configuring of "tls-verify"

2017-09-11 Thread Jan Just Keijser 

Hi,

On 11/09/17 13:22, Илья Шипицин wrote:

Hello,

is someone actually using "tls-verify" in production ?
we tried to implement additional certificate check using tls-verify


while it works in general, in case when it hits "exit 1", it look like a 
timeout from client point of view. it is not any good


do you mean that when a client is denied access (i.e. the tls-verify script exits 1 on the server) that the client sees this as 
a timeout?  that is "normal" behaviour, as the server does not tell the client *WHY* access is refused - it simply stop 
responding to a client that does not pass authentication/authorization. The client will not hear from the server, and will time 
out after a specified interval.  This is actually the most secure way to do things, as a rogue client cannot DoS a server this way.


HTH,

JJK


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] proper configuring of "tls-verify"

2017-09-11 Thread Илья Шипицин 
Hello,

is someone actually using "tls-verify" in production ?
we tried to implement additional certificate check using tls-verify


while it works in general, in case when it hits "exit 1", it look like a
timeout from client point of view. it is not any good

Cheers,
Ilya Shipitsin
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Topics for tomorrow's (Tue, 12th Sep 2017) community meeting

2017-09-11 Thread Samuli Seppänen 
Hi,

We're going to have an IRC meeting tomorrow starting at 20:00 CEST
(18:00 UTC) on #openvpn-meeting  irc.freenode.net. You do not have
to be logged in to Freenode to join the channel.

Current topic list along with basic information is here:



If you have any other things you'd like to bring up, respond to this
mail, send me mail privately or add them to the list yourself.

In case you can't attend the meeting, please feel free to make comments
on the topics by responding to this email or to the summary email sent
after the meeting. Whenever possible, we'll also respond to existing,
related email threads.

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] how to roll your own OpenVPN Windows installer

2017-09-11 Thread Samuli Seppänen 

Il 08/09/2017 13:10, Jan Just Keijser ha scritto:

hi dev list,

someone asked me this question: how can one roll their own Windows 
OpenVPN installer, including a signed TAP driver?  There's no need to 
rebuild OpenVPN or the TAP driver, but they do need to include other 
things, such as certificates, config files etc.
Is there a way to repackage the existing TAP driver?  are there 
instructions for that?


TIA,

JJK


Hi,

I meant to answer this earlier, but then apparently forgot. The 
tap-windows installer is simply embedded into the main OpenVPN 
installer, so the pre-existing, signed tap-windows6 driver can be reused 
as-is. An OpenVPN installer can be generated in the openvpn-build 
cross-compile environment:




Usage of openvpn-build is pretty well documented on Trac:



On this page you can find automated cross-compile environment setup 
scripts which work for Ubuntu 14.04 and 16.04:




It is also possible to generate a new installer without actually 
building anything. The challenge is that the NSI install script 
(openvpn.nsi) in openvpn-build depends on a number of variables set 
during the build process, and on a certain directory structure. So it is 
generally easier just to rebuild everything.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel