Context Navigation

← Previous Ticket
Next Ticket →

#1463 reopened Bug / Defect

Script security warnings - Revisit code and decide WARN or Note ?

Reported by:	tct	Owned by:
Priority:	major	Milestone:
Component:	Generic / unclassified	Version:
Severity:	Not set (select this one, unless your'e a OpenVPN developer)	Keywords:
Cc:

Description

OpenVPN 2.5.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 16 2022

Config:

script-security 3
up up.sh
down down.sh

Log (verb 4):

2022-04-19 12:42:44 us=119164 WARNING: file '/etc/openvpn/tunc_55111u/pki/ta.key' is group or others accessible
2022-04-19 12:42:44 us=119231 WARNING: file '/etc/openvpn/userpass.txt' is group or others accessible
2022-04-19 12:42:44 us=119257 Current Parameter Settings:
2022-04-19 12:42:44 us=119272   config = 'tunc_55111u.conf'
2022-04-19 12:42:44 us=119288   mode = 0
2022-04-19 12:42:44 us=119303   persist_config = DISABLED
2022-04-19 12:42:44 us=119318   persist_mode = 1
2022-04-19 12:42:44 us=119333   show_ciphers = DISABLED
2022-04-19 12:42:44 us=119347   show_digests = DISABLED
2022-04-19 12:42:44 us=119360   show_engines = DISABLED
2022-04-19 12:42:44 us=119377   genkey = DISABLED
2022-04-19 12:42:44 us=119391   genkey_filename = '[UNDEF]'
2022-04-19 12:42:44 us=119405   key_pass_file = '[UNDEF]'
2022-04-19 12:42:44 us=119420   show_tls_ciphers = DISABLED
2022-04-19 12:42:44 us=119437   connect_retry_max = 0
2022-04-19 12:42:44 us=119451 Connection profiles [0]:
2022-04-19 12:42:44 us=119468   proto = tcp-client
2022-04-19 12:42:44 us=119483   local = '[UNDEF]'
2022-04-19 12:42:44 us=119497   local_port = '[UNDEF]'
2022-04-19 12:42:44 us=119512   remote = '10.1.101.226'
2022-04-19 12:42:44 us=119527   remote_port = '55111'
2022-04-19 12:42:44 us=119542   remote_float = DISABLED
2022-04-19 12:42:44 us=119556   bind_defined = DISABLED
2022-04-19 12:42:44 us=119572   bind_local = DISABLED
2022-04-19 12:42:44 us=119586   bind_ipv6_only = DISABLED
2022-04-19 12:42:44 us=119602   connect_retry_seconds = 10
2022-04-19 12:42:44 us=119615   connect_timeout = 20
2022-04-19 12:42:44 us=119631   socks_proxy_server = '[UNDEF]'
2022-04-19 12:42:44 us=119645   socks_proxy_port = '[UNDEF]'
2022-04-19 12:42:44 us=119661   tun_mtu = 1500
2022-04-19 12:42:44 us=119675   tun_mtu_defined = ENABLED
2022-04-19 12:42:44 us=119690   link_mtu = 1500
2022-04-19 12:42:44 us=119703   link_mtu_defined = DISABLED
2022-04-19 12:42:44 us=119720   tun_mtu_extra = 0
2022-04-19 12:42:44 us=119733   tun_mtu_extra_defined = DISABLED
2022-04-19 12:42:44 us=119749   mtu_discover_type = -1
2022-04-19 12:42:44 us=119763   fragment = 0
2022-04-19 12:42:44 us=119779   mssfix = 1450
2022-04-19 12:42:44 us=119793   explicit_exit_notification = 0
2022-04-19 12:42:44 us=119807   tls_auth_file = '/etc/openvpn/tunc_55111u/pki/ta.key'
2022-04-19 12:42:44 us=119823   key_direction = 1
2022-04-19 12:42:44 us=119837   tls_crypt_file = '[UNDEF]'
2022-04-19 12:42:44 us=119851   tls_crypt_v2_file = '[UNDEF]'
2022-04-19 12:42:44 us=119867 Connection profiles END
2022-04-19 12:42:44 us=119880   remote_random = DISABLED
2022-04-19 12:42:44 us=119896   ipchange = '[UNDEF]'
2022-04-19 12:42:44 us=119910   dev = 'tunc55111'
2022-04-19 12:42:44 us=119924   dev_type = '[UNDEF]'
2022-04-19 12:42:44 us=119940   dev_node = '[UNDEF]'
2022-04-19 12:42:44 us=119954   lladdr = '[UNDEF]'
2022-04-19 12:42:44 us=119970   topology = 1
2022-04-19 12:42:44 us=119984   ifconfig_local = '[UNDEF]'
2022-04-19 12:42:44 us=119999   ifconfig_remote_netmask = '[UNDEF]'
2022-04-19 12:42:44 us=120013   ifconfig_noexec = DISABLED
2022-04-19 12:42:44 us=120028   ifconfig_nowarn = DISABLED
2022-04-19 12:42:44 us=120042   ifconfig_ipv6_local = '[UNDEF]'
2022-04-19 12:42:44 us=120058   ifconfig_ipv6_netbits = 0
2022-04-19 12:42:44 us=120072   ifconfig_ipv6_remote = '[UNDEF]'
2022-04-19 12:42:44 us=120087   shaper = 0
2022-04-19 12:42:44 us=120101   mtu_test = 0
2022-04-19 12:42:44 us=120117   mlock = DISABLED
2022-04-19 12:42:44 us=120131   keepalive_ping = 0
2022-04-19 12:42:44 us=120146   keepalive_timeout = 0
2022-04-19 12:42:44 us=120160   inactivity_timeout = 0
2022-04-19 12:42:44 us=120176   inactivity_minimum_bytes = 0
2022-04-19 12:42:44 us=120190   ping_send_timeout = 0
2022-04-19 12:42:44 us=120205   ping_rec_timeout = 0
2022-04-19 12:42:44 us=120220   ping_rec_timeout_action = 0
2022-04-19 12:42:44 us=120235   ping_timer_remote = ENABLED
2022-04-19 12:42:44 us=120249   remap_sigusr1 = 0
2022-04-19 12:42:44 us=120264   persist_tun = DISABLED
2022-04-19 12:42:44 us=120278   persist_local_ip = DISABLED
2022-04-19 12:42:44 us=120293   persist_remote_ip = DISABLED
2022-04-19 12:42:44 us=120307   persist_key = DISABLED
2022-04-19 12:42:44 us=120323   passtos = DISABLED
2022-04-19 12:42:44 us=120337   resolve_retry_seconds = 1000000000
2022-04-19 12:42:44 us=120352   resolve_in_advance = DISABLED
2022-04-19 12:42:44 us=120367   username = '[UNDEF]'
2022-04-19 12:42:44 us=120382   groupname = '[UNDEF]'
2022-04-19 12:42:44 us=120396   chroot_dir = '[UNDEF]'
2022-04-19 12:42:44 us=120411   cd_dir = '[UNDEF]'
2022-04-19 12:42:44 us=120425   writepid = '[UNDEF]'
2022-04-19 12:42:44 us=120441   up_script = 'up.sh'
2022-04-19 12:42:44 us=120455   down_script = 'down.sh'
2022-04-19 12:42:44 us=120470   down_pre = DISABLED
2022-04-19 12:42:44 us=120484   up_restart = DISABLED
2022-04-19 12:42:44 us=120499   up_delay = DISABLED
2022-04-19 12:42:44 us=120513   daemon = DISABLED
2022-04-19 12:42:44 us=120529   inetd = 0
2022-04-19 12:42:44 us=120542   log = DISABLED
2022-04-19 12:42:44 us=120557   suppress_timestamps = DISABLED
2022-04-19 12:42:44 us=120571   machine_readable_output = DISABLED
2022-04-19 12:42:44 us=120586   nice = 0
2022-04-19 12:42:44 us=120600   verbosity = 4
2022-04-19 12:42:44 us=120616   mute = 0
2022-04-19 12:42:44 us=120629   gremlin = 0
2022-04-19 12:42:44 us=120644   status_file = '[UNDEF]'
2022-04-19 12:42:44 us=120658   status_file_version = 1
2022-04-19 12:42:44 us=120674   status_file_update_freq = 60
2022-04-19 12:42:44 us=120688   occ = ENABLED
2022-04-19 12:42:44 us=120704   rcvbuf = 0
2022-04-19 12:42:44 us=120717   sndbuf = 0
2022-04-19 12:42:44 us=120732   mark = 0
2022-04-19 12:42:44 us=120746   sockflags = 0
2022-04-19 12:42:44 us=120761   fast_io = DISABLED
2022-04-19 12:42:44 us=120775   comp.alg = 1
2022-04-19 12:42:44 us=120791   comp.flags = 0
2022-04-19 12:42:44 us=120805   route_script = '[UNDEF]'
2022-04-19 12:42:44 us=120829   route_default_gateway = '[UNDEF]'
2022-04-19 12:42:44 us=120848   route_default_metric = 0
2022-04-19 12:42:44 us=120862   route_noexec = DISABLED
2022-04-19 12:42:44 us=120877   route_delay = 0
2022-04-19 12:42:44 us=120891   route_delay_window = 30
2022-04-19 12:42:44 us=120907   route_delay_defined = DISABLED
2022-04-19 12:42:44 us=120921   route_nopull = DISABLED
2022-04-19 12:42:44 us=120935   route_gateway_via_dhcp = DISABLED
2022-04-19 12:42:44 us=120951   allow_pull_fqdn = DISABLED
2022-04-19 12:42:44 us=120965   Pull filters:
2022-04-19 12:42:44 us=120981     ignore "route 192.168."
2022-04-19 12:42:44 us=120995   management_addr = '[UNDEF]'
2022-04-19 12:42:44 us=121011   management_port = '[UNDEF]'
2022-04-19 12:42:44 us=121026   management_user_pass = '[UNDEF]'
2022-04-19 12:42:44 us=121042   management_log_history_cache = 250
2022-04-19 12:42:44 us=121056   management_echo_buffer_size = 100
2022-04-19 12:42:44 us=121070   management_write_peer_info_file = '[UNDEF]'
2022-04-19 12:42:44 us=121087   management_client_user = '[UNDEF]'
2022-04-19 12:42:44 us=121103   management_client_group = '[UNDEF]'
2022-04-19 12:42:44 us=121117   management_flags = 0
2022-04-19 12:42:44 us=121132   shared_secret_file = '[UNDEF]'
2022-04-19 12:42:44 us=121146   key_direction = 1
2022-04-19 12:42:44 us=121164   ciphername = 'AES-256-GCM'
2022-04-19 12:42:44 us=121180   ncp_enabled = ENABLED
2022-04-19 12:42:44 us=121194   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
2022-04-19 12:42:44 us=121209   authname = 'SHA1'
2022-04-19 12:42:44 us=121225   prng_hash = 'SHA1'
2022-04-19 12:42:44 us=121240   prng_nonce_secret_len = 16
2022-04-19 12:42:44 us=121254   keysize = 0
2022-04-19 12:42:44 us=121270   engine = DISABLED
2022-04-19 12:42:44 us=121284   replay = ENABLED
2022-04-19 12:42:44 us=121298   mute_replay_warnings = DISABLED
2022-04-19 12:42:44 us=121315   replay_window = 64
2022-04-19 12:42:44 us=121329   replay_time = 15
2022-04-19 12:42:44 us=121345   packet_id_file = '[UNDEF]'
2022-04-19 12:42:44 us=121359   test_crypto = DISABLED
2022-04-19 12:42:44 us=121376   tls_server = DISABLED
2022-04-19 12:42:44 us=121391   tls_client = ENABLED
2022-04-19 12:42:44 us=121407   ca_file = '[INLINE]'
2022-04-19 12:42:44 us=121421   ca_path = '[UNDEF]'
2022-04-19 12:42:44 us=121438   dh_file = '[UNDEF]'
2022-04-19 12:42:44 us=121454   cert_file = '[INLINE]'
2022-04-19 12:42:44 us=121469   extra_certs_file = '[UNDEF]'
2022-04-19 12:42:44 us=121485   priv_key_file = '[INLINE]'
2022-04-19 12:42:44 us=121499   pkcs12_file = '[UNDEF]'
2022-04-19 12:42:44 us=121514   cipher_list = '[UNDEF]'
2022-04-19 12:42:44 us=121528   cipher_list_tls13 = '[UNDEF]'
2022-04-19 12:42:44 us=121544   tls_cert_profile = '[UNDEF]'
2022-04-19 12:42:44 us=121558   tls_verify = '[UNDEF]'
2022-04-19 12:42:44 us=121574   tls_export_cert = '[UNDEF]'
2022-04-19 12:42:44 us=121588   verify_x509_type = 2
2022-04-19 12:42:44 us=121604   verify_x509_name = 'v303.tct.secp384r1.s01'
2022-04-19 12:42:44 us=121618   crl_file = '[UNDEF]'
2022-04-19 12:42:44 us=121632   ns_cert_type = 0
2022-04-19 12:42:44 us=121648   remote_cert_ku[i] = 65535
2022-04-19 12:42:44 us=121662   remote_cert_ku[i] = 0
2022-04-19 12:42:44 us=121678   remote_cert_ku[i] = 0
2022-04-19 12:42:44 us=121692   remote_cert_ku[i] = 0
2022-04-19 12:42:44 us=121708   remote_cert_ku[i] = 0
2022-04-19 12:42:44 us=121722   remote_cert_ku[i] = 0
2022-04-19 12:42:44 us=121736   remote_cert_ku[i] = 0
2022-04-19 12:42:44 us=121751   remote_cert_ku[i] = 0
2022-04-19 12:42:44 us=121765   remote_cert_ku[i] = 0
2022-04-19 12:42:44 us=121779   remote_cert_ku[i] = 0
2022-04-19 12:42:44 us=121793   remote_cert_ku[i] = 0
2022-04-19 12:42:44 us=121807   remote_cert_ku[i] = 0
2022-04-19 12:42:44 us=121822   remote_cert_ku[i] = 0
2022-04-19 12:42:44 us=121836   remote_cert_ku[i] = 0
2022-04-19 12:42:44 us=121850   remote_cert_ku[i] = 0
2022-04-19 12:42:44 us=121864   remote_cert_ku[i] = 0
2022-04-19 12:42:44 us=121879   remote_cert_eku = 'TLS Web Server Authentication'
2022-04-19 12:42:44 us=121894   ssl_flags = 3264
2022-04-19 12:42:44 us=121908   tls_timeout = 10
2022-04-19 12:42:44 us=121922   renegotiate_bytes = -1
2022-04-19 12:42:44 us=121936   renegotiate_packets = 0
2022-04-19 12:42:44 us=121951   renegotiate_seconds = 0
2022-04-19 12:42:44 us=121965   handshake_window = 60
2022-04-19 12:42:44 us=121979   transition_window = 3600
2022-04-19 12:42:44 us=121993   single_session = DISABLED
2022-04-19 12:42:44 us=122007   push_peer_info = ENABLED
2022-04-19 12:42:44 us=122021   tls_exit = DISABLED
2022-04-19 12:42:44 us=122035   tls_crypt_v2_metadata = '[UNDEF]'
2022-04-19 12:42:44 us=122049   pkcs11_protected_authentication = DISABLED
2022-04-19 12:42:44 us=122063   pkcs11_protected_authentication = DISABLED
2022-04-19 12:42:44 us=122077   pkcs11_protected_authentication = DISABLED
2022-04-19 12:42:44 us=122093   pkcs11_protected_authentication = DISABLED
2022-04-19 12:42:44 us=122106   pkcs11_protected_authentication = DISABLED
2022-04-19 12:42:44 us=122121   pkcs11_protected_authentication = DISABLED
2022-04-19 12:42:44 us=122135   pkcs11_protected_authentication = DISABLED
2022-04-19 12:42:44 us=122149   pkcs11_protected_authentication = DISABLED
2022-04-19 12:42:44 us=122164   pkcs11_protected_authentication = DISABLED
2022-04-19 12:42:44 us=122178   pkcs11_protected_authentication = DISABLED
2022-04-19 12:42:44 us=122192   pkcs11_protected_authentication = DISABLED
2022-04-19 12:42:44 us=122206   pkcs11_protected_authentication = DISABLED
2022-04-19 12:42:44 us=122221   pkcs11_protected_authentication = DISABLED
2022-04-19 12:42:44 us=122234   pkcs11_protected_authentication = DISABLED
2022-04-19 12:42:44 us=122249   pkcs11_protected_authentication = DISABLED
2022-04-19 12:42:44 us=122263   pkcs11_protected_authentication = DISABLED
2022-04-19 12:42:44 us=122278   pkcs11_private_mode = 00000000
2022-04-19 12:42:44 us=122292   pkcs11_private_mode = 00000000
2022-04-19 12:42:44 us=122306   pkcs11_private_mode = 00000000
2022-04-19 12:42:44 us=122321   pkcs11_private_mode = 00000000
2022-04-19 12:42:44 us=122335   pkcs11_private_mode = 00000000
2022-04-19 12:42:44 us=122349   pkcs11_private_mode = 00000000
2022-04-19 12:42:44 us=122364   pkcs11_private_mode = 00000000
2022-04-19 12:42:44 us=122378   pkcs11_private_mode = 00000000
2022-04-19 12:42:44 us=122392   pkcs11_private_mode = 00000000
2022-04-19 12:42:44 us=122406   pkcs11_private_mode = 00000000
2022-04-19 12:42:44 us=122421   pkcs11_private_mode = 00000000
2022-04-19 12:42:44 us=122435   pkcs11_private_mode = 00000000
2022-04-19 12:42:44 us=122449   pkcs11_private_mode = 00000000
2022-04-19 12:42:44 us=122463   pkcs11_private_mode = 00000000
2022-04-19 12:42:44 us=122477   pkcs11_private_mode = 00000000
2022-04-19 12:42:44 us=122491   pkcs11_private_mode = 00000000
2022-04-19 12:42:44 us=122505   pkcs11_cert_private = DISABLED
2022-04-19 12:42:44 us=122519   pkcs11_cert_private = DISABLED
2022-04-19 12:42:44 us=122533   pkcs11_cert_private = DISABLED
2022-04-19 12:42:44 us=122548   pkcs11_cert_private = DISABLED
2022-04-19 12:42:44 us=122562   pkcs11_cert_private = DISABLED
2022-04-19 12:42:44 us=122575   pkcs11_cert_private = DISABLED
2022-04-19 12:42:44 us=122589   pkcs11_cert_private = DISABLED
2022-04-19 12:42:44 us=122603   pkcs11_cert_private = DISABLED
2022-04-19 12:42:44 us=122618   pkcs11_cert_private = DISABLED
2022-04-19 12:42:44 us=122632   pkcs11_cert_private = DISABLED
2022-04-19 12:42:44 us=122646   pkcs11_cert_private = DISABLED
2022-04-19 12:42:44 us=122660   pkcs11_cert_private = DISABLED
2022-04-19 12:42:44 us=122674   pkcs11_cert_private = DISABLED
2022-04-19 12:42:44 us=122688   pkcs11_cert_private = DISABLED
2022-04-19 12:42:44 us=122702   pkcs11_cert_private = DISABLED
2022-04-19 12:42:44 us=122716   pkcs11_cert_private = DISABLED
2022-04-19 12:42:44 us=122731   pkcs11_pin_cache_period = -1
2022-04-19 12:42:44 us=122745   pkcs11_id = '[UNDEF]'
2022-04-19 12:42:44 us=122759   pkcs11_id_management = DISABLED
2022-04-19 12:42:44 us=122775   server_network = 0.0.0.0
2022-04-19 12:42:44 us=122790   server_netmask = 0.0.0.0
2022-04-19 12:42:44 us=122811   server_network_ipv6 = ::
2022-04-19 12:42:44 us=122825   server_netbits_ipv6 = 0
2022-04-19 12:42:44 us=122840   server_bridge_ip = 0.0.0.0
2022-04-19 12:42:44 us=122855   server_bridge_netmask = 0.0.0.0
2022-04-19 12:42:44 us=122870   server_bridge_pool_start = 0.0.0.0
2022-04-19 12:42:44 us=122886   server_bridge_pool_end = 0.0.0.0
2022-04-19 12:42:44 us=122899   ifconfig_pool_defined = DISABLED
2022-04-19 12:42:44 us=122919   ifconfig_pool_start = 0.0.0.0
2022-04-19 12:42:44 us=122936   ifconfig_pool_end = 0.0.0.0
2022-04-19 12:42:44 us=122952   ifconfig_pool_netmask = 0.0.0.0
2022-04-19 12:42:44 us=122965   ifconfig_pool_persist_filename = '[UNDEF]'
2022-04-19 12:42:44 us=122981   ifconfig_pool_persist_refresh_freq = 600
2022-04-19 12:42:44 us=122994   ifconfig_ipv6_pool_defined = DISABLED
2022-04-19 12:42:44 us=123010   ifconfig_ipv6_pool_base = ::
2022-04-19 12:42:44 us=123025   ifconfig_ipv6_pool_netbits = 0
2022-04-19 12:42:44 us=123039   n_bcast_buf = 256
2022-04-19 12:42:44 us=123053   tcp_queue_limit = 64
2022-04-19 12:42:44 us=123067   real_hash_size = 256
2022-04-19 12:42:44 us=123082   virtual_hash_size = 256
2022-04-19 12:42:44 us=123096   client_connect_script = '[UNDEF]'
2022-04-19 12:42:44 us=123110   learn_address_script = '[UNDEF]'
2022-04-19 12:42:44 us=123124   client_disconnect_script = '[UNDEF]'
2022-04-19 12:42:44 us=123139   client_config_dir = '[UNDEF]'
2022-04-19 12:42:44 us=123153   ccd_exclusive = DISABLED
2022-04-19 12:42:44 us=123167   tmp_dir = '/tmp'
2022-04-19 12:42:44 us=123180   push_ifconfig_defined = DISABLED
2022-04-19 12:42:44 us=123196   push_ifconfig_local = 0.0.0.0
2022-04-19 12:42:44 us=123213   push_ifconfig_remote_netmask = 0.0.0.0
2022-04-19 12:42:44 us=123226   push_ifconfig_ipv6_defined = DISABLED
2022-04-19 12:42:44 us=123242   push_ifconfig_ipv6_local = ::/0
2022-04-19 12:42:44 us=123257   push_ifconfig_ipv6_remote = ::
2022-04-19 12:42:44 us=123270   enable_c2c = DISABLED
2022-04-19 12:42:44 us=123285   duplicate_cn = DISABLED
2022-04-19 12:42:44 us=123299   cf_max = 0
2022-04-19 12:42:44 us=123313   cf_per = 0
2022-04-19 12:42:44 us=123327   max_clients = 1024
2022-04-19 12:42:44 us=123341   max_routes_per_client = 256
2022-04-19 12:42:44 us=123355   auth_user_pass_verify_script = '[UNDEF]'
2022-04-19 12:42:44 us=123369   auth_user_pass_verify_script_via_file = DISABLED
2022-04-19 12:42:44 us=123383   auth_token_generate = DISABLED
2022-04-19 12:42:44 us=123398   auth_token_lifetime = 0
2022-04-19 12:42:44 us=123411   auth_token_secret_file = '[UNDEF]'
2022-04-19 12:42:44 us=123425   port_share_host = '[UNDEF]'
2022-04-19 12:42:44 us=123439   port_share_port = '[UNDEF]'
2022-04-19 12:42:44 us=123453   vlan_tagging = DISABLED
2022-04-19 12:42:44 us=123468   vlan_accept = all
2022-04-19 12:42:44 us=123482   vlan_pvid = 1
2022-04-19 12:42:44 us=123496   client = DISABLED
2022-04-19 12:42:44 us=123510   pull = ENABLED
2022-04-19 12:42:44 us=123524   auth_user_pass_file = '/etc/openvpn/userpass.txt'
2022-04-19 12:42:44 us=123540 OpenVPN 2.5.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 16 2022
2022-04-19 12:42:44 us=123562 library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10
2022-04-19 12:42:44 us=123769 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2022-04-19 12:42:44 us=125046 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-04-19 12:42:44 us=125072 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-04-19 12:42:44 us=125172 Control Channel MTU parms [ L:1624 D:1182 EF:68 EB:0 ET:0 EL:3 ]
2022-04-19 12:42:44 us=125203 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
2022-04-19 12:42:44 us=125234 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1552,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-client'
2022-04-19 12:42:44 us=125246 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1552,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-server'
2022-04-19 12:42:44 us=125279 TCP/UDP: Preserving recently used remote address: [AF_INET]10.1.101.226:55111
2022-04-19 12:42:44 us=125325 Socket Buffers: R=[131072->131072] S=[16384->16384]
2022-04-19 12:42:44 us=125343 Attempting to establish TCP connection with [AF_INET]10.1.101.226:55111 [nonblock]
2022-04-19 12:42:44 us=126596 TCP connection established with [AF_INET]10.1.101.226:55111
2022-04-19 12:42:44 us=128261 TCP_CLIENT link local: (not bound)
2022-04-19 12:42:44 us=128302 TCP_CLIENT link remote: [AF_INET]10.1.101.226:55111
2022-04-19 12:42:44 us=129751 TLS: Initial packet from [AF_INET]10.1.101.226:55111, sid=8bde60a3 975cfe65
2022-04-19 12:42:44 us=138821 VERIFY OK: depth=1, C=00, ST=tct, L=home, O=tctnet, OU=tctnet-secp384r1, CN=CA tct-secp384r1, emailAddress=me@home.org
2022-04-19 12:42:44 us=141162 VERIFY KU OK
2022-04-19 12:42:44 us=141202 Validating certificate extended key usage
2022-04-19 12:42:44 us=141216 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2022-04-19 12:42:44 us=141228 VERIFY EKU OK
2022-04-19 12:42:44 us=141239 VERIFY X509NAME OK: C=00, ST=tct, L=home, O=tctnet, OU=tctnet-secp384r1, CN=v303.tct.secp384r1.s01, emailAddress=me@home.org
2022-04-19 12:42:44 us=141251 VERIFY OK: depth=0, C=00, ST=tct, L=home, O=tctnet, OU=tctnet-secp384r1, CN=v303.tct.secp384r1.s01, emailAddress=me@home.org
2022-04-19 12:42:44 us=160332 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, peer certificate: 384 bit EC, curve secp384r1, signature: ecdsa-with-SHA384
2022-04-19 12:42:44 us=160397 [v303.tct.secp384r1.s01] Peer Connection Initiated with [AF_INET]10.1.101.226:55111
2022-04-19 12:42:44 us=161663 Key [AF_INET]10.1.101.226:55111 [0] not initialized (yet), dropping packet.
2022-04-19 12:42:44 us=205964 PUSH: Received control message: 'PUSH_REPLY,block-ipv6,topology subnet,explicit-exit-notify 3,comp-lzo no,compress,route-gateway 10.55.111.225,topology subnet,route 10.7.39.137,ping 0,ping-restart 0,ping 10,ping-restart 30,ifconfig 10.55.111.254 255.255.255.224,peer-id 0,cipher AES-256-GCM'
2022-04-19 12:42:44 us=206185 OPTIONS IMPORT: timers and/or timeouts modified
2022-04-19 12:42:44 us=206386 OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp
2022-04-19 12:42:44 us=206493 OPTIONS IMPORT: compression parms modified
2022-04-19 12:42:44 us=206562 OPTIONS IMPORT: --ifconfig/up options modified
2022-04-19 12:42:44 us=206582 OPTIONS IMPORT: route options modified
2022-04-19 12:42:44 us=206594 OPTIONS IMPORT: route-related options modified
2022-04-19 12:42:44 us=206606 OPTIONS IMPORT: peer-id set
2022-04-19 12:42:44 us=206618 OPTIONS IMPORT: adjusting link_mtu to 1627
2022-04-19 12:42:44 us=206630 OPTIONS IMPORT: data channel crypto options modified
2022-04-19 12:42:44 us=206759 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-04-19 12:42:44 us=206784 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-04-19 12:42:44 us=207009 ROUTE_GATEWAY 10.1.101.1/255.255.255.0 IFACE=enp5s0 HWADDR=24:b6:fd:31:bc:ca
2022-04-19 12:42:44 us=207555 TUN/TAP device tunc55111 opened
2022-04-19 12:42:44 us=207609 do_ifconfig, ipv4=1, ipv6=0
2022-04-19 12:42:44 us=207637 /sbin/ip link set dev tunc55111 up mtu 1500
2022-04-19 12:42:44 us=211074 /sbin/ip link set dev tunc55111 up
2022-04-19 12:42:44 us=214581 /sbin/ip addr add dev tunc55111 10.55.111.254/27
2022-04-19 12:42:44 us=220597 up.sh tunc55111 1500 1627 10.55.111.254 255.255.255.224 init
********
*      *
*  UP  *
*      *
********
2022-04-19 12:42:44 us=221760 /sbin/ip route add 10.7.39.137/32 via 10.55.111.225
2022-04-19 12:42:44 us=223613 Initialization Sequence Completed

Change History (8)

comment:1 follow-up: 2 Changed 2 years ago by Pippin

Not a "Warning" but a "Note":

2022-04-19 12:42:44 us=123769 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

comment:2 in reply to: 1 Changed 2 years ago by tct

Replying to Pippin:

Not a "Warning" but a "Note":

2022-04-19 12:42:44 us=123769 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

That is probably another bug:

init.c:            msg(M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
init.c:            msg(M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");

WARNINGS are warnings not NOTES.

Last edited 2 years ago by tct (previous) (diff)

comment:3 Changed 2 years ago by Gert Döring

Not sure I understand the logic here...

    /* If a script is used, print appropriate warnings */
    if (o->user_script_used)
    {
        if (script_security() >= SSEC_SCRIPTS)
        {
            msg(M_WARN, "NOTE: the current --script-security setting may allow t
his configuration to call user-defined scripts");
        }
        else if (script_security() >= SSEC_PW_ENV)
        {
            msg(M_WARN, "WARNING: the current --script-security setting may allo
w passwords to be passed to scripts via environmental variables");
        }

... but this is really old code, so nothing has "disappeared"... haven't looked more closely why this is what it is, but it seems the sequence of checks is wrong (NOTE for "yeah, scripts", and WARNING for "whee, scripts can see things!")...

comment:4 follow-up: 5 Changed 2 years ago by tct

The WARNING in the log has disappeared.

Version 0, edited 2 years ago by tct (next)

comment:5 in reply to: 4 Changed 2 years ago by Gert Döring

Replying to tct:

The WARNING for --script-security 3 in the log has disappeared.

Proove by showing an openvpn log with the same config(!) that has it as WARNING. It might have been a different script-security level - as you can see, the WARNING is there, it's just not printed at all levels.

comment:6 in reply to: description Changed 2 years ago by tct

Resolution:	→ worksforme
Status:	new → closed

Replying to tct:

2022-04-19 12:42:44 us=123769 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

I must have some form of log-file blind-spot syndrome .. the warning I was looking for is right there!

Apologies for the noise.

comment:7 Changed 2 years ago by tct

Resolution:	worksforme
Status:	closed → reopened

Re-opened as requested.

Reminder to take a closer look at calling code ifs

Also, make log message a Warning.

comment:8 Changed 2 years ago by tct

Summary:	Script security warning has disappeared → Script security warnings - Revisit code and decide WARN or Note ?

Note: See TracTickets for help on using tickets.

Download in other formats: