Opened 4 months ago

Last modified 2 weeks ago

#1458 new Bug / Defect

Warn when config uses tls-auth without auth

Reported by: mvglasow Owned by:
Priority: major Milestone:
Component: Generic / unclassified Version: OpenVPN 2.4.0 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc: plaisthos, tct

Description

When the client configuration (presumably also the server configuration, though I have not tested this) specifies tls-auth to indicate the system expects additional HMAC authentication, but auth is not given, connection attempts may silently fail because the TLS handshake times out on the client side, while the server rejects the handshake because the HMAC signature does not match.

I have not figured out what effect omitting auth has: will it disable HMAC authentication altogether, or will it fall back to a default algorithm for HMAC?

Either way, it would have solved me a lot of debugging time if there was a warning in place for such scenarios. For example, when tls-auth wothout auth is specified, a message similar to the following could be shown:

WARNING: tls-auth specified without setting auth; disabling HMAC authentication/falling back to FOO for HMAC authentication

That would give the user an idea that there is something amiss with their configuration, rather then letting him figure out why HMAC authentication fails despite being (apparently) set up correctly. (I ran into this one and figured out just by accident and through try-and-error what the issue was.)

Change History (3)

comment:1 Changed 5 weeks ago by Gert Döring

Cc: plaisthos added

If not contained in the config, auth sha1 is the default, so unless you set it differently - or use an OpenSSL 3.0.x build without legacy provider - I can't really see how this would be happening.

What versions are you using on client and server ("openvpn --version", so we can also see the SSL libraries)?

I strongly hope you are not using 2.4.0 as you selected in the ticket dropdown... because that is so ancient that we pretend it does not exist.

comment:2 Changed 5 weeks ago by plaisthos

Even OpenSSL without legacy provider will do SHA1 just fine. I also cannot even find that warning in our source code. I vaguely remember that we had a bug that you could combine auth none and tls-auth and that would effectively silently disable tls-auth.

comment:3 Changed 2 weeks ago by tct

Cc: tct added
Note: See TracTickets for help on using tickets.