From: Horace Michael <horace.michael@gmx.com>
To: development@lists.ipfire.org
Subject: Re: [PATCH v2] CRL updater: Update script for OpenVPNs CRL
Date: Tue, 13 Feb 2018 16:21:33 +0200 [thread overview]
Message-ID: <308F9A2C-5BD2-4DAB-AF11-FE5EC375E232@gmx.com> (raw)
In-Reply-To: <1518516012.11931.1.camel@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 1956 bytes --]
Hi Erik,
On February 13, 2018 12:00:12 PM GMT+02:00, ummeegge <ummeegge(a)ipfire.org> wrote:
>Hi Michael,
>
>Am Dienstag, den 13.02.2018, 08:07 +0200 schrieb Horace Michael:
>>
>> Please consider to add auth-nocache also in order to get rid of the
>> warnings for caching credentials.
>
>just to bear in mind, if we set auth-nocache and a user/password
>authentication has been configured manually by the user (IPFire do not
>provides this currently), there is the need to authenticate again after
>a session key has been expired.
If an IPFire user manually changed the standard configuration of OpenVPN and add passwd authentication then he/she should assume also the impact - entering the credentials on key renewing or changing the config and removal of --auth-nocache directive.
>
>With OpenVPN-2.3.13 and above the rekeying are managed by '--reneg-
>bytes 64000000' (after 64 MB data transfer) if 64 bit block ciphers are
>used which IPFire do provides at this time.
>
>So by the usage of an old deprecated configuration (old ciphers) and a
>faster and heavily loaded connection there is the need to authenticate
>every few minutes.
>
>This warning looks not so nice but is in regular configurations, which
>has been made via WUI, useless since there is no user/password
>authentication currently available.
>
Indeed is just a warning - no problem for tunnel being established. But is a warning that might be wrongly understood - who knows to what "credentials" the user will think of and the overall image of the user for IPFire security will be poor...
>If someone has configured it manually (in most cases via
>server{client}.conf.local i think) it is there also possible to set '
>--auth-nocache' for each configuration individually if needed ?
>
>Just some thoughts from here.
>
>
>Greetings,
>
>Erik
--
Horace Michael (aka H&M)
Please excuse my typos and brevity. Sent from a Smartphone.
next prev parent reply other threads:[~2018-02-13 14:21 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-30 16:38 [PATCH] OpenVPN: Update to version 2.4.4 Erik Kapfer
2018-01-30 20:00 ` Michael Tremer
2018-02-02 6:34 ` [PATCH] CRL updater: Update script for OpenVPN CRL Erik Kapfer
2018-02-02 10:51 ` Michael Tremer
2018-02-02 19:19 ` ummeegge
2018-02-03 20:20 ` ummeegge
2018-02-06 0:44 ` Michael Tremer
2018-02-06 9:24 ` ummeegge
2018-02-06 16:34 ` Michael Tremer
2018-02-06 20:09 ` [PATCH v2] CRL updater: Update script for OpenVPNs CRL Erik Kapfer
2018-02-06 21:45 ` Michael Tremer
2018-02-07 17:31 ` Erik Kapfer
2018-02-11 22:25 ` Michael Tremer
2018-02-13 6:02 ` ummeegge
2018-02-13 6:07 ` Horace Michael
2018-02-13 10:00 ` ummeegge
2018-02-13 14:21 ` Horace Michael [this message]
2018-02-14 14:09 ` ummeegge
2018-02-13 13:13 ` ummeegge
2018-02-14 12:22 ` Michael Tremer
2018-02-14 13:24 ` ummeegge
2018-02-14 20:27 ` Michael Tremer
2018-02-15 6:18 ` ummeegge
2018-02-15 11:05 ` Michael Tremer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=308F9A2C-5BD2-4DAB-AF11-FE5EC375E232@gmx.com \
--to=horace.michael@gmx.com \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox