pushed by server, and that is used to offer a temporary session
token to clients that can be used in place of a password on
subsequent credential challenges.
This accomplishes the security benefit of preventing caching
of the real password while offering most of the advantages
of password caching, i.e. not forcing the user to re-enter
credentials for every TLS renegotiation or network hiccup.
auth-token does two things:
1. if password caching is enabled, the token replaces the
previous password, and
2. if the management interface is active, the token is output
to it:
>PASSWORD:Auth-Token:<token>
Also made a minor change to HALT/RESTART processing when password
caching is enabled. When client receives a HALT or RESTART message,
and if the message text contains a flags block (i.e. [FFF]:message),
if flag 'P' (preserve auth) is present in flags, don't purge the Auth
password. Otherwise do purge the Auth password.
Version 2.1.3o
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7088 e7ae566f-a301-0410-adde-c780ea21d3b5
to accept an optional message string. The message string format is:
RESTART|HALT,<human-readable-message>
RESTART will tell the client to restart (i.e. SIGUSR1).
HALT will tell the client to exit (i.e. SIGTERM).
On the client, human-readable-message will be communicated via
management interface:
>NOTIFY,<severity>,<type>,<human-readable-message>"
Version 2.1.3m
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7063 e7ae566f-a301-0410-adde-c780ea21d3b5
a server if it sent multiple push requests due to the server being
slow to respond. This could cause the client to process pushed
options twice, leading to duplicate pushed routes, among other issues.
The fix, implemented server-side, is to reply only once to a push
request even if multiple requests are received.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7060 e7ae566f-a301-0410-adde-c780ea21d3b5
Modified "push-peer-info" option to push IV_LZO_STUB=1 to server when
client was built with --enable-lzo-stub configure option. This tells
the server that the client lacks LZO capabilities, so the server
should turn off LZO compression for this client via "lzo no".
Added "setenv PUSH_PEER_INFO" option having the same effect as
"push-peer-info".
Version 2.1.3j
git-svn-id: http://svn.openvpn.net/projects/branches/BETA21@7023 e7ae566f-a301-0410-adde-c780ea21d3b5
was only defined for Windows and Linux). This enables OS X to report
the MAC address of the default gateway to the server for ID purposes
when client-side --push-peer-info option is specified.
Also, minor fix to OS X get_default_gateway function:
* include net/route.h directly rather than selectively paste stuff
from it into route.c
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6925 e7ae566f-a301-0410-adde-c780ea21d3b5
to be notified of tunnel up/down events.
* pulled --ip-win32 options will be suppressed on the client
if --route-nopull option is specified.
Version 2.1.3f
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6813 e7ae566f-a301-0410-adde-c780ea21d3b5
instead of "key" in client mode, and allows the client to run
without the need to load the actual private key. When the SSL
protocol needs to perform an RSA sign operation, the data to
be signed will be sent to the management interface via a
notification as follows:
>RSA_SIGN:[BASE64_DATA]
The management interface client should then sign BASE64_DATA
using the private key and return the signature as follows:
rsa-sig
[BASE64_SIG_LINE]
.
.
.
END
This capability is intended to allow the use of arbitrary
cryptographic service providers with OpenVPN via the
management interface.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6708 e7ae566f-a301-0410-adde-c780ea21d3b5
where credentials are entered from stdin. This capability is
compiled when ENABLE_CLIENT_CR is defined in syshead.h (enabled
by default).
Challenge/response support was previously implemented for creds
that are queried via the management interface. In this case,
the challenge message will be returned as a custom
client-reason-text string (see management-notes.txt for more
info) on auth failure.
Also, see the comments in misc.c above get_auth_challenge()
for info on the OpenVPN challenge/response protocol.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6568 e7ae566f-a301-0410-adde-c780ea21d3b5
signing drivers and .exe files.
Added win/tap_span.py for building multiple versions of the TAP driver
and tapinstall binaries using different DDK versions to span from Win2K
to Win7 and beyond.
Version 2.1.3
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6404 e7ae566f-a301-0410-adde-c780ea21d3b5
Fixed potential local privilege escalation vulnerability in
Windows service. The Windows service did not properly quote the
executable filename passed to CreateService. A local attacker
with write access to the root directory C:\ could create an
executable that would be run with the same privilege level as
the OpenVPN Windows service. However, since non-Administrative
users normally lack write permission on C:\, this vulnerability
is generally not exploitable except on older versions of Windows
(such as Win2K) where the default permissions on C:\ would allow
any user to create files there.
Credit: Scott Laurie, MWR InfoSecurity
Version 2.1.2
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6400 e7ae566f-a301-0410-adde-c780ea21d3b5
commands.
When only a single IP address is desired from a multi-address DNS
expansion, use the first address rather than a random selection.
Version 2.1.1l
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6291 e7ae566f-a301-0410-adde-c780ea21d3b5
easier for OpenVPN client UIs to start a pre-existing client config file with
proxy options, or to adaptively fall back to a proxy connection if a direct
connection fails.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5652 e7ae566f-a301-0410-adde-c780ea21d3b5
Improved the ability of http-auth "auto" flag to dynamically detect
the auth method required by the proxy.
Added http-auth "auto-nct" flag to reject weak proxy auth methods.
Added HTTP proxy digest authentication method.
Removed extraneous openvpn_sleep calls from proxy.c.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5628 e7ae566f-a301-0410-adde-c780ea21d3b5