Opened 11 months ago

Closed 2 months ago

#1458 closed Feature Wish (wontfix)

Warn when config uses tls-auth without auth

Reported by: mvglasow Owned by:
Priority: major Milestone:
Component: Generic / unclassified Version: OpenVPN 2.4.0 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc: plaisthos, tct

Description

When the client configuration (presumably also the server configuration, though I have not tested this) specifies tls-auth to indicate the system expects additional HMAC authentication, but auth is not given, connection attempts may silently fail because the TLS handshake times out on the client side, while the server rejects the handshake because the HMAC signature does not match.

I have not figured out what effect omitting auth has: will it disable HMAC authentication altogether, or will it fall back to a default algorithm for HMAC?

Either way, it would have solved me a lot of debugging time if there was a warning in place for such scenarios. For example, when tls-auth wothout auth is specified, a message similar to the following could be shown:

WARNING: tls-auth specified without setting auth; disabling HMAC authentication/falling back to FOO for HMAC authentication

That would give the user an idea that there is something amiss with their configuration, rather then letting him figure out why HMAC authentication fails despite being (apparently) set up correctly. (I ran into this one and figured out just by accident and through try-and-error what the issue was.)

Change History (4)

comment:1 Changed 8 months ago by Gert Döring

Cc: plaisthos added

If not contained in the config, auth sha1 is the default, so unless you set it differently - or use an OpenSSL 3.0.x build without legacy provider - I can't really see how this would be happening.

What versions are you using on client and server ("openvpn --version", so we can also see the SSL libraries)?

I strongly hope you are not using 2.4.0 as you selected in the ticket dropdown... because that is so ancient that we pretend it does not exist.

comment:2 Changed 8 months ago by plaisthos

Even OpenSSL without legacy provider will do SHA1 just fine. I also cannot even find that warning in our source code. I vaguely remember that we had a bug that you could combine auth none and tls-auth and that would effectively silently disable tls-auth.

comment:3 Changed 8 months ago by tct

Cc: tct added

comment:4 Changed 2 months ago by Gert Döring

Resolution: wontfix
Status: newclosed
Type: Bug / DefectFeature Wish

Closing this, as "no response for 6 months".

(And yes, --auth affects the algorithm used for --tls-auth, which is a bit confusing, especially when not using --auth otherwise. With AEAD ciphers, the best recommendation here is "do not put --auth or --cipher into your config and let OpenVPN handle things in a good way")

Note: See TracTickets for help on using tickets.