From mboxrd@z Thu Jan  1 00:00:00 1970
From: Horace Michael <horace.michael@gmx.com>
To: development@lists.ipfire.org
Subject: Re: [PATCH v2] CRL updater: Update script for OpenVPNs CRL
Date: Tue, 13 Feb 2018 16:21:33 +0200
Message-ID: <308F9A2C-5BD2-4DAB-AF11-FE5EC375E232@gmx.com>
In-Reply-To: <1518516012.11931.1.camel@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7169898626312858446=="
List-Id: <development.lists.ipfire.org>

--===============7169898626312858446==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi Erik,

On February 13, 2018 12:00:12 PM GMT+02:00, ummeegge <ummeegge(a)ipfire.org> =
wrote:
>Hi Michael,
>
>Am Dienstag, den 13.02.2018, 08:07 +0200 schrieb Horace Michael:
>>=C2=A0
>> Please consider to add auth-nocache also in order to get rid of the
>> warnings for caching credentials.
>
>just to bear in mind, if we set auth-nocache and a user/password
>authentication has been configured manually by the user (IPFire do not
>provides this currently), there is the need to authenticate again after
>a session key has been expired.

If an IPFire user manually changed the standard configuration of OpenVPN and =
add passwd authentication then he/she should assume also the impact - enterin=
g the credentials on key renewing or changing the config and removal of --aut=
h-nocache directive.

>
>With OpenVPN-2.3.13 and above the rekeying are managed by '--reneg-
>bytes 64000000' (after 64 MB data transfer) if 64 bit block ciphers are
>used which IPFire do provides at this time.
>
>So by the usage of an old deprecated configuration (old ciphers) and a
>faster and heavily loaded connection there is the need to authenticate
>every few minutes.
>
>This warning looks not so nice but is in regular configurations, which
>has been made via WUI, useless since there is no user/password
>authentication currently available.
>

Indeed is just a warning - no problem for tunnel being established. But is a =
warning that might be wrongly understood - who knows to what "credentials" th=
e user will think of and the overall image of the user for IPFire security wi=
ll be poor...
>If someone has configured it manually (in most cases via
>server{client}.conf.local i think) it is there also possible to set '
>--auth-nocache' for each configuration individually if needed ?
>
>Just some thoughts from here.
>

>
>Greetings,
>
>Erik

--
Horace Michael (aka H&M)
 Please excuse my typos and brevity. Sent from a Smartphone.=20

--===============7169898626312858446==--