Opened 4 years ago
Last modified 2 years ago
#1336 assigned Bug / Defect
AUTH_FAILED is not DDOS resilient
Reported by: | tct | Owned by: | nobody |
---|---|---|---|
Priority: | major | Milestone: | release 2.6 |
Component: | Generic / unclassified | Version: | OpenVPN 2.5.0 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: | tct, plaisthos |
Description
Using a default client config:
dev tun windows-driver wintun nobind client config easytls.conf # Certs/keys remote-cert-tls server verb 4 remote 10.10.101.101 34571 # One with and one without the user/pass auth-user-pass userpass.txt
The client sends the wrong password:
The server rejects this client on account of AUTH_FAILED. This is pushed back to the client and the client restarts in 5 seconds. (DDOS)
--connect-retry
does not effect this failure and the client always restarts in 5 seconds.
The client does not send user/pass
If the client fails to push a username+password then the client fails to connect but the server does not respond AUTH_FAILED and the client waits for the expected TLS handshake time-out.
Eventually, the client backs off as per --connect-retry
defaults.
Logs below (note: times):
- Client sends wrong user/pass, recieves AUTH_FAILED (DDOS)
- Continuation snip showing 5 second restart
- Client does not send user/pass and receives nothing
- Server log showing hammering
- Server log when the client does not send user/pass
Client log - receives AUTH_FAILED (DDOS)
2020-10-11 20:15:28 us=411379 OpenVPN 2.5_rc2 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 30 2020 2020-10-11 20:15:28 us=411379 Windows version 6.1 (Windows 7) 32bit 2020-10-11 20:15:28 us=411379 library versions: OpenSSL 1.1.1h 22 Sep 2020, LZO 2.10 Enter Management Password: 2020-10-11 20:15:28 us=411379 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340 2020-10-11 20:15:28 us=411379 Need hold release from management interface, waiting... 2020-10-11 20:15:28 us=880129 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340 2020-10-11 20:15:28 us=989504 MANAGEMENT: CMD 'state on' 2020-10-11 20:15:28 us=989504 MANAGEMENT: CMD 'log all on' 2020-10-11 20:15:29 us=286379 MANAGEMENT: CMD 'echo all on' 2020-10-11 20:15:29 us=302004 MANAGEMENT: CMD 'bytecount 5' 2020-10-11 20:15:29 us=302004 MANAGEMENT: CMD 'hold off' 2020-10-11 20:15:29 us=302004 MANAGEMENT: CMD 'hold release' 2020-10-11 20:15:29 us=317629 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key 2020-10-11 20:15:29 us=317629 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication 2020-10-11 20:15:29 us=317629 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key 2020-10-11 20:15:29 us=317629 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication 2020-10-11 20:15:29 us=317629 Control Channel MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ] 2020-10-11 20:15:29 us=317629 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ] 2020-10-11 20:15:29 us=317629 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-client' 2020-10-11 20:15:29 us=317629 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-server' 2020-10-11 20:15:29 us=317629 TCP/UDP: Preserving recently used remote address: [AF_INET]10.10.101.101:34571 2020-10-11 20:15:29 us=317629 Socket Buffers: R=[8192->8192] S=[8192->8192] 2020-10-11 20:15:29 us=317629 UDP link local: (not bound) 2020-10-11 20:15:29 us=317629 UDP link remote: [AF_INET]10.10.101.101:34571 2020-10-11 20:15:29 us=317629 MANAGEMENT: >STATE:1602443729,WAIT,,,,,, 2020-10-11 20:15:29 us=380129 MANAGEMENT: >STATE:1602443729,AUTH,,,,,, 2020-10-11 20:15:29 us=380129 TLS: Initial packet from [AF_INET]10.10.101.101:34571, sid=cb26395e ef50663f 2020-10-11 20:15:29 us=380129 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this 2020-10-11 20:15:29 us=395754 VERIFY KU OK 2020-10-11 20:15:29 us=395754 Validating certificate extended key usage 2020-10-11 20:15:29 us=395754 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication 2020-10-11 20:15:29 us=395754 VERIFY EKU OK 2020-10-11 20:15:29 us=395754 VERIFY OK: depth=0, CN=s01 2020-10-11 20:15:29 us=427004 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA 2020-10-11 20:15:29 us=427004 [s01] Peer Connection Initiated with [AF_INET]10.10.101.101:34571 2020-10-11 20:15:30 us=583254 MANAGEMENT: >STATE:1602443730,GET_CONFIG,,,,,, 2020-10-11 20:15:30 us=583254 SENT CONTROL [s01]: 'PUSH_REQUEST' (status=1) 2020-10-11 20:15:30 us=583254 AUTH: Received control message: AUTH_FAILED 2020-10-11 20:15:30 us=583254 TCP/UDP: Closing socket 2020-10-11 20:15:30 us=583254 SIGUSR1[soft,auth-failure] received, process restarting 2020-10-11 20:15:30 us=583254 MANAGEMENT: >STATE:1602443730,RECONNECTING,auth-failure,,,,, 2020-10-11 20:15:30 us=583254 Restart pause, 5 second(s)
This goes on and on:
2020-10-11 20:17:22 us=520754 Restart pause, 5 second(s) 2020-10-11 20:17:27 us=520754 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key 2020-10-11 20:17:27 us=520754 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication 2020-10-11 20:17:27 us=520754 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key 2020-10-11 20:17:27 us=520754 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication 2020-10-11 20:17:27 us=520754 Control Channel MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ] 2020-10-11 20:17:27 us=520754 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ] 2020-10-11 20:17:27 us=520754 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-client' 2020-10-11 20:17:27 us=520754 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-server' 2020-10-11 20:17:27 us=520754 TCP/UDP: Preserving recently used remote address: [AF_INET]10.10.101.101:34571 2020-10-11 20:17:27 us=520754 Socket Buffers: R=[8192->8192] S=[8192->8192] 2020-10-11 20:17:27 us=520754 UDP link local: (not bound) 2020-10-11 20:17:27 us=520754 UDP link remote: [AF_INET]10.10.101.101:34571 2020-10-11 20:17:27 us=520754 MANAGEMENT: >STATE:1602443847,WAIT,,,,,, 2020-10-11 20:17:27 us=614504 MANAGEMENT: >STATE:1602443847,AUTH,,,,,, 2020-10-11 20:17:27 us=614504 TLS: Initial packet from [AF_INET]10.10.101.101:34571, sid=bb537965 8ff299f1 2020-10-11 20:17:27 us=630129 VERIFY KU OK 2020-10-11 20:17:27 us=630129 Validating certificate extended key usage 2020-10-11 20:17:27 us=630129 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication 2020-10-11 20:17:27 us=630129 VERIFY EKU OK 2020-10-11 20:17:27 us=630129 VERIFY OK: depth=0, CN=s01 2020-10-11 20:17:27 us=692629 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA 2020-10-11 20:17:27 us=692629 [s01] Peer Connection Initiated with [AF_INET]10.10.101.101:34571 2020-10-11 20:17:28 us=723879 MANAGEMENT: >STATE:1602443848,GET_CONFIG,,,,,, 2020-10-11 20:17:28 us=723879 SENT CONTROL [s01]: 'PUSH_REQUEST' (status=1) 2020-10-11 20:17:28 us=723879 AUTH: Received control message: AUTH_FAILED 2020-10-11 20:17:28 us=723879 TCP/UDP: Closing socket 2020-10-11 20:17:28 us=723879 SIGUSR1[soft,auth-failure] received, process restarting 2020-10-11 20:17:28 us=723879 MANAGEMENT: >STATE:1602443848,RECONNECTING,auth-failure,,,,, 2020-10-11 20:17:28 us=723879 Restart pause, 5 second(s) 2020-10-11 20:17:32 us=723879 SIGTERM[hard,init_instance] received, process exiting 2020-10-11 20:17:32 us=723879 MANAGEMENT: >STATE:1602443852,EXITING,init_instance,,,,,
Client log waits for TLS handshake:
Sun Oct 11 20:07:00 2020 OpenVPN 2.5_rc2 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 30 2020 Sun Oct 11 20:07:00 2020 Windows version 6.1 (Windows 7) 32bit Sun Oct 11 20:07:00 2020 library versions: OpenSSL 1.1.1h 22 Sep 2020, LZO 2.10 Sun Oct 11 20:07:00 2020 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340 Sun Oct 11 20:07:00 2020 Need hold release from management interface, waiting... Sun Oct 11 20:07:01 2020 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340 Sun Oct 11 20:07:01 2020 MANAGEMENT: CMD 'state on' Sun Oct 11 20:07:01 2020 MANAGEMENT: CMD 'log all on' Sun Oct 11 20:07:01 2020 MANAGEMENT: CMD 'echo all on' Sun Oct 11 20:07:01 2020 MANAGEMENT: CMD 'bytecount 5' Sun Oct 11 20:07:01 2020 MANAGEMENT: CMD 'hold off' Sun Oct 11 20:07:01 2020 MANAGEMENT: CMD 'hold release' Sun Oct 11 20:07:01 2020 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Sun Oct 11 20:07:01 2020 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Sun Oct 11 20:07:01 2020 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Sun Oct 11 20:07:01 2020 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Sun Oct 11 20:07:01 2020 Control Channel MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ] Sun Oct 11 20:07:01 2020 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ] Sun Oct 11 20:07:01 2020 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-client' Sun Oct 11 20:07:01 2020 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-server' Sun Oct 11 20:07:01 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]10.10.101.101:34571 Sun Oct 11 20:07:01 2020 Socket Buffers: R=[8192->8192] S=[8192->8192] Sun Oct 11 20:07:01 2020 UDP link local: (not bound) Sun Oct 11 20:07:01 2020 UDP link remote: [AF_INET]10.10.101.101:34571 Sun Oct 11 20:07:01 2020 MANAGEMENT: >STATE:1602443221,WAIT,,,,,, Sun Oct 11 20:07:01 2020 MANAGEMENT: >STATE:1602443221,AUTH,,,,,, Sun Oct 11 20:07:01 2020 TLS: Initial packet from [AF_INET]10.10.101.101:34571, sid=acd4374d 3676ee51 Sun Oct 11 20:07:01 2020 VERIFY KU OK Sun Oct 11 20:07:01 2020 Validating certificate extended key usage Sun Oct 11 20:07:01 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Sun Oct 11 20:07:01 2020 VERIFY EKU OK Sun Oct 11 20:07:01 2020 VERIFY OK: depth=0, CN=s01 Sun Oct 11 20:08:01 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Sun Oct 11 20:08:01 2020 TLS Error: TLS handshake failed Sun Oct 11 20:08:01 2020 TCP/UDP: Closing socket Sun Oct 11 20:08:01 2020 SIGUSR1[soft,tls-error] received, process restarting Sun Oct 11 20:08:01 2020 MANAGEMENT: >STATE:1602443281,RECONNECTING,tls-error,,,,, Sun Oct 11 20:08:01 2020 Restart pause, 5 second(s) Sun Oct 11 20:08:06 2020 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Server log showing hammering, also note the client was able to send --explicit-exit-notify
(looks like it did):
2020-10-11 20:17:27 us=470623 MULTI: multi_create_instance called 2020-10-11 20:17:27 us=470859 10.10.201.107:51782 Re-using SSL/TLS context 2020-10-11 20:17:27 us=471068 10.10.201.107:51782 tls-crypt-v2 server key: Cipher 'AES-256-CTR' initialized with 256 bit key 2020-10-11 20:17:27 us=471447 10.10.201.107:51782 tls-crypt-v2 server key: Using 256 bit message hash 'SHA256' for HMAC authentication 2020-10-11 20:17:27 us=471788 10.10.201.107:51782 Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ] 2020-10-11 20:17:27 us=472055 10.10.201.107:51782 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ] 2020-10-11 20:17:27 us=472246 10.10.201.107:51782 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-server' 2020-10-11 20:17:27 us=472452 10.10.201.107:51782 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-client' 2020-10-11 20:17:27 us=472631 10.10.201.107:51782 TLS: Initial packet from [AF_INET]10.10.201.107:51782, sid=99dfa143 100c9c53 2020-10-11 20:17:27 us=472734 10.10.201.107:51782 Control Channel: using tls-crypt-v2 key 2020-10-11 20:17:27 us=472852 10.10.201.107:51782 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key 2020-10-11 20:17:27 us=472950 10.10.201.107:51782 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication 2020-10-11 20:17:27 us=473037 10.10.201.107:51782 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key 2020-10-11 20:17:27 us=473073 10.10.201.107:51782 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication <EXOK> * TLS-crypt-v2-verify (index) ==> easytls OK ==> custom_group tincantech OK ==> Key age 0 days OK ==> identity OK ==> Enabled OK ==> Client certificate is recognised and Valid: 5E80D99E6EBB48C8C7E7FB5987AD1EF3 cw01 2020-10-11 20:17:27 us=557125 10.10.201.107:51782 TLS CRYPT V2 VERIFY SCRIPT OK 2020-10-11 20:17:27 us=623270 10.10.201.107:51782 VERIFY OK: depth=1, CN=easytls 2020-10-11 20:17:27 us=624391 10.10.201.107:51782 VERIFY OK: depth=0, CN=cw01 2020-10-11 20:17:27 us=624828 10.10.201.107:51782 peer info: IV_VER=2.5_rc2 2020-10-11 20:17:27 us=624876 10.10.201.107:51782 peer info: IV_PLAT=win 2020-10-11 20:17:27 us=624909 10.10.201.107:51782 peer info: IV_PROTO=6 2020-10-11 20:17:27 us=624934 10.10.201.107:51782 peer info: IV_NCP=2 2020-10-11 20:17:27 us=624959 10.10.201.107:51782 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM 2020-10-11 20:17:27 us=624977 10.10.201.107:51782 peer info: IV_LZ4=1 2020-10-11 20:17:27 us=624997 10.10.201.107:51782 peer info: IV_LZ4v2=1 2020-10-11 20:17:27 us=625013 10.10.201.107:51782 peer info: IV_LZO=1 2020-10-11 20:17:27 us=625029 10.10.201.107:51782 peer info: IV_COMP_STUB=1 2020-10-11 20:17:27 us=625045 10.10.201.107:51782 peer info: IV_COMP_STUBv2=1 2020-10-11 20:17:27 us=625061 10.10.201.107:51782 peer info: IV_TCPNL=1 2020-10-11 20:17:27 us=625076 10.10.201.107:51782 peer info: IV_HWADDR=08:00:27:10:b8:d0 2020-10-11 20:17:27 us=625094 10.10.201.107:51782 peer info: IV_SSL=OpenSSL_1.1.1h__22_Sep_2020 2020-10-11 20:17:27 us=625110 10.10.201.107:51782 peer info: IV_PLAT_VER=6.1_32bit 2020-10-11 20:17:27 us=625125 10.10.201.107:51782 peer info: IV_GUI_VER=OpenVPN_GUI_11 NO-NO-NO 2020-10-11 20:17:27 us=636464 10.10.201.107:51782 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1 2020-10-11 20:17:27 us=636561 10.10.201.107:51782 TLS Auth Error: Auth Username/Password verification failed for peer 2020-10-11 20:17:27 us=650336 10.10.201.107:51782 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA 2020-10-11 20:17:27 us=650482 10.10.201.107:51782 [cw01] Peer Connection Initiated with [AF_INET]10.10.201.107:51782 2020-10-11 20:17:27 us=895839 10.10.201.107:51781 SIGTERM[soft,delayed-exit] received, client-instance exiting 2020-10-11 20:17:28 us=672267 10.10.201.107:51782 PUSH: Received control message: 'PUSH_REQUEST' 2020-10-11 20:17:28 us=672308 10.10.201.107:51782 Delayed exit in 5 seconds 2020-10-11 20:17:28 us=672424 10.10.201.107:51782 SENT CONTROL [cw01]: 'AUTH_FAILED' (status=1) 2020-10-11 20:17:33 us=877372 10.10.201.107:51782 SIGTERM[soft,delayed-exit] received, client-instance exiting
Server log when the client does not send user/pass:
2020-10-11 20:07:01 us=409459 MULTI: multi_create_instance called 2020-10-11 20:07:01 us=409499 10.10.201.107:57110 Re-using SSL/TLS context 2020-10-11 20:07:01 us=409536 10.10.201.107:57110 tls-crypt-v2 server key: Cipher 'AES-256-CTR' initialized with 256 bit key 2020-10-11 20:07:01 us=409558 10.10.201.107:57110 tls-crypt-v2 server key: Using 256 bit message hash 'SHA256' for HMAC authentication 2020-10-11 20:07:01 us=409624 10.10.201.107:57110 Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ] 2020-10-11 20:07:01 us=409642 10.10.201.107:57110 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ] 2020-10-11 20:07:01 us=409687 10.10.201.107:57110 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-server' 2020-10-11 20:07:01 us=409705 10.10.201.107:57110 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-client' 2020-10-11 20:07:01 us=409744 10.10.201.107:57110 TLS: Initial packet from [AF_INET]10.10.201.107:57110, sid=5cda270d 0cb021ad 2020-10-11 20:07:01 us=409758 10.10.201.107:57110 Control Channel: using tls-crypt-v2 key 2020-10-11 20:07:01 us=409788 10.10.201.107:57110 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key 2020-10-11 20:07:01 us=409805 10.10.201.107:57110 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication 2020-10-11 20:07:01 us=409818 10.10.201.107:57110 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key 2020-10-11 20:07:01 us=409836 10.10.201.107:57110 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication <EXOK> * TLS-crypt-v2-verify (index) ==> easytls OK ==> custom_group tincantech OK ==> Key age 0 days OK ==> identity OK ==> Enabled OK ==> Client certificate is recognised and Valid: 5E80D99E6EBB48C8C7E7FB5987AD1EF3 cw01 2020-10-11 20:07:01 us=431426 10.10.201.107:57110 TLS CRYPT V2 VERIFY SCRIPT OK 2020-10-11 20:07:01 us=461498 10.10.201.107:57110 VERIFY OK: depth=1, CN=easytls 2020-10-11 20:07:01 us=461646 10.10.201.107:57110 VERIFY OK: depth=0, CN=cw01 2020-10-11 20:07:01 us=462062 10.10.201.107:57110 peer info: IV_VER=2.5_rc2 2020-10-11 20:07:01 us=462117 10.10.201.107:57110 peer info: IV_PLAT=win 2020-10-11 20:07:01 us=462141 10.10.201.107:57110 peer info: IV_PROTO=6 2020-10-11 20:07:01 us=462164 10.10.201.107:57110 peer info: IV_NCP=2 2020-10-11 20:07:01 us=462187 10.10.201.107:57110 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM 2020-10-11 20:07:01 us=462208 10.10.201.107:57110 peer info: IV_LZ4=1 2020-10-11 20:07:01 us=462224 10.10.201.107:57110 peer info: IV_LZ4v2=1 2020-10-11 20:07:01 us=462239 10.10.201.107:57110 peer info: IV_LZO=1 2020-10-11 20:07:01 us=462251 10.10.201.107:57110 peer info: IV_COMP_STUB=1 2020-10-11 20:07:01 us=462263 10.10.201.107:57110 peer info: IV_COMP_STUBv2=1 2020-10-11 20:07:01 us=462285 10.10.201.107:57110 peer info: IV_TCPNL=1 2020-10-11 20:07:01 us=462313 10.10.201.107:57110 peer info: IV_HWADDR=08:00:27:10:b8:d0 2020-10-11 20:07:01 us=462343 10.10.201.107:57110 peer info: IV_SSL=OpenSSL_1.1.1h__22_Sep_2020 2020-10-11 20:07:01 us=462357 10.10.201.107:57110 peer info: IV_PLAT_VER=6.1_32bit 2020-10-11 20:07:01 us=462369 10.10.201.107:57110 peer info: IV_GUI_VER=OpenVPN_GUI_11 2020-10-11 20:07:01 us=462384 10.10.201.107:57110 TLS Error: Auth Username/Password was not provided by peer 2020-10-11 20:07:01 us=462396 10.10.201.107:57110 TLS Error: TLS handshake failed 2020-10-11 20:07:01 us=462497 10.10.201.107:57110 SIGUSR1[soft,tls-error] received, client-instance restarting 2020-10-11 20:08:06 us=519418 Control Channel: using tls-crypt-v2 key 2020-10-11 20:08:06 us=519513 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key 2020-10-11 20:08:06 us=519553 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication 2020-10-11 20:08:06 us=519578 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key 2020-10-11 20:08:06 us=519605 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication 2020-10-11 20:08:06 us=519659 MULTI: multi_create_instance called
Change History (8)
comment:1 Changed 4 years ago by
Cc: | tct added |
---|
comment:2 Changed 4 years ago by
Version: | OpenVPN 2.4.5 (Community Ed) → OpenVPN 2.5.0 (Community Ed) |
---|
comment:3 Changed 4 years ago by
comment:4 Changed 4 years ago by
Milestone: | → release 2.6 |
---|
Yeah, having "wrong username + password in a *file*" is really something that wants exponential backoff.
"Interactive" it does not make sense to add delay, as the timing constant is a human typing things in...
Someone needs to dive into the reconnect logic and figure out where these two cases ("real connection failure" and "AUTH_FAIL" diverge wrt timing)
comment:5 Changed 4 years ago by
Cc: | plaisthos added |
---|
comment:6 Changed 3 years ago by
My initial report has been addressed. When the client fails to AUTH, due to incorrect password, the client is terminated.
Edit: Need to double check this ..
A reasonably thorough test shows that if the client fails at password AUTH then the server always send AUTH_FAILED and the client terminates gracefully.
Circumstances regarding systemd
or Windows Services not-with-standing, I think this can be closed. Awaiting proper approval because I'm not 100% sure.
comment:7 Changed 3 years ago by
Owner: | set to Gert Döring |
---|---|
Status: | new → assigned |
comment:8 Changed 2 years ago by
Owner: | changed from Gert Döring to nobody |
---|
Whether or not the client fails on AUTH_FAILED depends on --auth-retry nointeract
being set (which is non-default). So it still makes sense to have good retry behaviour then.
Related: #1348