Opened 3 weeks ago

Closed 3 weeks ago

#1304 closed Bug / Defect (fixed)

Make printing a key in the log verb 5 or 6 not verb 4

Reported by: tincantech Owned by: Antonio
Priority: critical Milestone: release 2.5
Component: Generic / unclassified Version: OpenVPN git master branch (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: log verb privacy
Cc:

Description


Change History (5)

comment:1 Changed 3 weeks ago by tincantech

Openvpn --verb 4 is the recommended --verb setting to dubug general user problems. Having openvpn output the entire contents of all user private keys while running at --verb 4 is therefore a considerable threat to privacy, especially for an inexperienced user. Also, the Openvpn Forum is not ready for such a threat to user privacy.

Having openvpn process output private keys to logs at any --verb is probably not good practice but I leave that decision to the Dev team.

Last edited 3 weeks ago by tincantech (previous) (diff)

comment:2 Changed 3 weeks ago by Gert Döring

Owner: set to Antonio
Status: newassigned

This is fallout of the "inline" orgy

21:38 < wiscii> 2020-07-17 15:33:08 us=916310   priv_key_file = '-----BEGIN 
                PRIVATE KEY-----

while "referencing regular key files" is fine

2020-07-17 21:39:25 us=861830   priv_key_file = '/home/openvpn-keys/cron2-freebsd-tc-amd64.key'

comment:3 Changed 3 weeks ago by Gert Döring

Milestone: release 2.5
Priority: majorcritical
Type: Feature WishBug / Defect
Version: OpenVPN git master branch (Community Ed)

comment:4 Changed 3 weeks ago by Antonio

patch is on the mailing list: "[PATCH] options: don't leak inline'd key material in logfile"

comment:5 Changed 3 weeks ago by Gert Döring

Resolution: fixed
Status: assignedclosed

commit 19fab1f6cf71715f84d09d6a8b49698b0ae42cd1 (HEAD -> master, stable/master, mattock/master, gitlab/master, github/master)
Author: Antonio Quartulli <a@…>
Date: Fri Jul 17 23:28:20 2020 +0200

options: don't leak inline'd key material in logfile

committed & pushed

thanks!

Note: See TracTickets for help on using tickets.