[Openvpn-devel] Travis-ci is changing billing

[Илья Шипицин]

https://news.ycombinator.com/item?id=25338983

Actually, not many choices, either to drop Travis or to pay for it.




Ilya
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] wanted: mechanism to send text messages to client

[Steffan Karger]

Hi,

On 21-12-2020 21:25, Arne Schwabe wrote:
> Am 21.12.20 um 20:11 schrieb Gert Doering:
>> On Mon, Dec 21, 2020 at 06:24:36PM +, Greg Cox wrote:
>>> If the software were
>>> to contain a mechanism to make certain failure cases automatically more
>>> prominent, particularly for 'simple' users who have GUI clients, it'll be a
>>> big win for supportability on larger installs.
>>
>> This is indeed getting into philosophy... we do send different types of
>> AUTH_FAILED today (like, for token expired).  Maybe we could send an
>> "AUTH_FAILED,cert expired" and have the client display this?
>>
>> (I admit that I'm neither an expert on AUTH_FAILED message, nor on
>> "what is the client doing on variations of it", nor on "what *should*
>> be the expected outcome?".  Selva, Arne will know more).
> 
> It is easy to add that message, [...]

Uhm, I would say it's impossible to send that message. AUTH_FAILED
messages are sent over the control channel, while in case of certificate
errors the control channel will never be initialized.

We could however do something that has the same effect: don't prevent
TLS from sending it's "certificate_expired" alert. OpenVPN 2 (don't know
about 3) currently just doesn't respond at all if it detects a TLS error.

IIRC, this extra-paranoid behaviour has saved us from at least one of
the timing-based attacks on TLS from the past, but I can't recall which one.

At the same time, the TLS protocol and it's implementation have matured
a lot since heartbleed. Possibly beyond the point where usability
concerns now outweigh the security concerns. Before anyone suggests
making this optional: no. no. no. I strongly believer we should
carefully consider if we want to allow TLS to send alerts, or leave this
as-is.

David actually already brought this up in 2016, see this thread:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12892.html

Note that any of this is separate from the initial discussion, where
Gert proposes to send notifications *before* the certificate expires.

-Steffan


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] wanted: mechanism to send text messages to client

[Michael Kress]

Hi,
Am Sun, 20 Dec 2020 11:54:30 +0100
schrieb Gert Doering :
> I find myself looking for a mechanism by which I could send
> informational messages ("your cert expires in two weeks, go refresh!"
> - "your openvpn client needs an upgrade") from the openvpn server to
> incoming clients.
 
I'm quite late to the party, but something similar like this I asked a
few days ago (06.12.2020):
https://sourceforge.net/p/openvpn/mailman/message/37170200/

I proposed a generic way to send whatever you like over the
control channel. A plugin could be triggerd by hooks which react on
this generic push command. The plugins for all different OS and UIs
could trigger messages in new windows or network managers.

Your wish is to send a message, mine was to send a certificate. A
generic push command could achive both, as long the plugin is
installed.

echo could be a possibility, but fiddling with log files must also be
implemented (by a plugin?)

Servus
  Michael

> Of course this should work with all connecting clients, that is, "text
> clients", windows GUI, Tunnelblick, iOS Connect, Android.
> 
> As far as I am aware, there is no such mechanism today.
> 
> Do we want to make one?
> 
> 
> From the server / openvpn core side, it could be something totally
> trivial:
> 
>   push "info-msg hey there!"
> 
> ... and the client would then either print this on the console 
> (if !management) or dump it to management, where the GUI/Tunnelblick
> could pick it up and create a popup window.
> 
> What do you think?
> 
> gert



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel