Hi Erik,
On February 13, 2018 12:00:12 PM GMT+02:00, ummeegge ummeegge@ipfire.org wrote:
Hi Michael,
Am Dienstag, den 13.02.2018, 08:07 +0200 schrieb Horace Michael:
Please consider to add auth-nocache also in order to get rid of the warnings for caching credentials.
just to bear in mind, if we set auth-nocache and a user/password authentication has been configured manually by the user (IPFire do not provides this currently), there is the need to authenticate again after a session key has been expired.
If an IPFire user manually changed the standard configuration of OpenVPN and add passwd authentication then he/she should assume also the impact - entering the credentials on key renewing or changing the config and removal of --auth-nocache directive.
With OpenVPN-2.3.13 and above the rekeying are managed by '--reneg- bytes 64000000' (after 64 MB data transfer) if 64 bit block ciphers are used which IPFire do provides at this time.
So by the usage of an old deprecated configuration (old ciphers) and a faster and heavily loaded connection there is the need to authenticate every few minutes.
This warning looks not so nice but is in regular configurations, which has been made via WUI, useless since there is no user/password authentication currently available.
Indeed is just a warning - no problem for tunnel being established. But is a warning that might be wrongly understood - who knows to what "credentials" the user will think of and the overall image of the user for IPFire security will be poor...
If someone has configured it manually (in most cases via server{client}.conf.local i think) it is there also possible to set ' --auth-nocache' for each configuration individually if needed ?
Just some thoughts from here.
Greetings,
Erik
-- Horace Michael (aka H&M) Please excuse my typos and brevity. Sent from a Smartphone.