[SPAM] 📩 NFS - Nota Fiscal Eletr�nica de Servi�os - 1193574411 ✔

2014-10-07 Thread Nota Fiscal Eletr�nica 
Title: Untitled Document






 
 
 
 
 
..




--
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] multiple clients with same cert leads to problems

2014-10-07 Thread Jason Haar 
Hi there

I've got a corner case I've picked up during testing that makes me
wonder if there's a bug in openvpn

Our openvpn server "tests" incoming clients to ensure they comply with
our openvpn client standards - killing their session if they don't
(basically client-less NAC).

One thing we're doing is allowing "duplicate-cn", but using our NAC test
to reject clients using the same cert (get better logging of the
offenders that way). Anyway, I have a Mac and Windows box set up to use
the same cert to test this, and it causes an interesting situation...

First client connects, second client connects, NAC script notices the
same cert in use and kills the first connection. Second client later
hangs up. If I then look at the first client hours later, it still
thinks it's logged in! There is no error, it still has the tun interface
up, but no traffic flows. The server shows no connection via either
client (I use the management api to confirm that)

We use "--ping", and tcpdump confirms the  first client and server are
still exchanging packets - but the server does not classify the client
as being connected. But as the openvpn pings are still working, the
client doesn't know it's actually disconnected. A simple "kill -HUP" on
the client fixes everything as it forces a full restart

So I have two questions:

1. The client uses "explicit-exit-notify" - but it looks like using the
kill management command on the server does not tell the client it is
hanging up? Wouldn't that be a good idea?
2. The fact that ping is still working makes me think that means ping
must be *separate* from session management? Isn't that a bad idea?

Hopefully I'm wrong and someone will tell me I'm doing it incorrectly :-)

server is 2.3_git, and this is over UDP of course (I doubt this is an
issue over TCP, although I haven't tested)

Thanks

-- 
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


--
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users