Opened 2 years ago
Last modified 2 years ago
#1463 reopened Bug / Defect
Script security warnings - Revisit code and decide WARN or Note ?
Reported by: | tct | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | Generic / unclassified | Version: | |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: |
Description
OpenVPN 2.5.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 16 2022
Config:
script-security 3 up up.sh down down.sh
Log (verb 4):
2022-04-19 12:42:44 us=119164 WARNING: file '/etc/openvpn/tunc_55111u/pki/ta.key' is group or others accessible 2022-04-19 12:42:44 us=119231 WARNING: file '/etc/openvpn/userpass.txt' is group or others accessible 2022-04-19 12:42:44 us=119257 Current Parameter Settings: 2022-04-19 12:42:44 us=119272 config = 'tunc_55111u.conf' 2022-04-19 12:42:44 us=119288 mode = 0 2022-04-19 12:42:44 us=119303 persist_config = DISABLED 2022-04-19 12:42:44 us=119318 persist_mode = 1 2022-04-19 12:42:44 us=119333 show_ciphers = DISABLED 2022-04-19 12:42:44 us=119347 show_digests = DISABLED 2022-04-19 12:42:44 us=119360 show_engines = DISABLED 2022-04-19 12:42:44 us=119377 genkey = DISABLED 2022-04-19 12:42:44 us=119391 genkey_filename = '[UNDEF]' 2022-04-19 12:42:44 us=119405 key_pass_file = '[UNDEF]' 2022-04-19 12:42:44 us=119420 show_tls_ciphers = DISABLED 2022-04-19 12:42:44 us=119437 connect_retry_max = 0 2022-04-19 12:42:44 us=119451 Connection profiles [0]: 2022-04-19 12:42:44 us=119468 proto = tcp-client 2022-04-19 12:42:44 us=119483 local = '[UNDEF]' 2022-04-19 12:42:44 us=119497 local_port = '[UNDEF]' 2022-04-19 12:42:44 us=119512 remote = '10.1.101.226' 2022-04-19 12:42:44 us=119527 remote_port = '55111' 2022-04-19 12:42:44 us=119542 remote_float = DISABLED 2022-04-19 12:42:44 us=119556 bind_defined = DISABLED 2022-04-19 12:42:44 us=119572 bind_local = DISABLED 2022-04-19 12:42:44 us=119586 bind_ipv6_only = DISABLED 2022-04-19 12:42:44 us=119602 connect_retry_seconds = 10 2022-04-19 12:42:44 us=119615 connect_timeout = 20 2022-04-19 12:42:44 us=119631 socks_proxy_server = '[UNDEF]' 2022-04-19 12:42:44 us=119645 socks_proxy_port = '[UNDEF]' 2022-04-19 12:42:44 us=119661 tun_mtu = 1500 2022-04-19 12:42:44 us=119675 tun_mtu_defined = ENABLED 2022-04-19 12:42:44 us=119690 link_mtu = 1500 2022-04-19 12:42:44 us=119703 link_mtu_defined = DISABLED 2022-04-19 12:42:44 us=119720 tun_mtu_extra = 0 2022-04-19 12:42:44 us=119733 tun_mtu_extra_defined = DISABLED 2022-04-19 12:42:44 us=119749 mtu_discover_type = -1 2022-04-19 12:42:44 us=119763 fragment = 0 2022-04-19 12:42:44 us=119779 mssfix = 1450 2022-04-19 12:42:44 us=119793 explicit_exit_notification = 0 2022-04-19 12:42:44 us=119807 tls_auth_file = '/etc/openvpn/tunc_55111u/pki/ta.key' 2022-04-19 12:42:44 us=119823 key_direction = 1 2022-04-19 12:42:44 us=119837 tls_crypt_file = '[UNDEF]' 2022-04-19 12:42:44 us=119851 tls_crypt_v2_file = '[UNDEF]' 2022-04-19 12:42:44 us=119867 Connection profiles END 2022-04-19 12:42:44 us=119880 remote_random = DISABLED 2022-04-19 12:42:44 us=119896 ipchange = '[UNDEF]' 2022-04-19 12:42:44 us=119910 dev = 'tunc55111' 2022-04-19 12:42:44 us=119924 dev_type = '[UNDEF]' 2022-04-19 12:42:44 us=119940 dev_node = '[UNDEF]' 2022-04-19 12:42:44 us=119954 lladdr = '[UNDEF]' 2022-04-19 12:42:44 us=119970 topology = 1 2022-04-19 12:42:44 us=119984 ifconfig_local = '[UNDEF]' 2022-04-19 12:42:44 us=119999 ifconfig_remote_netmask = '[UNDEF]' 2022-04-19 12:42:44 us=120013 ifconfig_noexec = DISABLED 2022-04-19 12:42:44 us=120028 ifconfig_nowarn = DISABLED 2022-04-19 12:42:44 us=120042 ifconfig_ipv6_local = '[UNDEF]' 2022-04-19 12:42:44 us=120058 ifconfig_ipv6_netbits = 0 2022-04-19 12:42:44 us=120072 ifconfig_ipv6_remote = '[UNDEF]' 2022-04-19 12:42:44 us=120087 shaper = 0 2022-04-19 12:42:44 us=120101 mtu_test = 0 2022-04-19 12:42:44 us=120117 mlock = DISABLED 2022-04-19 12:42:44 us=120131 keepalive_ping = 0 2022-04-19 12:42:44 us=120146 keepalive_timeout = 0 2022-04-19 12:42:44 us=120160 inactivity_timeout = 0 2022-04-19 12:42:44 us=120176 inactivity_minimum_bytes = 0 2022-04-19 12:42:44 us=120190 ping_send_timeout = 0 2022-04-19 12:42:44 us=120205 ping_rec_timeout = 0 2022-04-19 12:42:44 us=120220 ping_rec_timeout_action = 0 2022-04-19 12:42:44 us=120235 ping_timer_remote = ENABLED 2022-04-19 12:42:44 us=120249 remap_sigusr1 = 0 2022-04-19 12:42:44 us=120264 persist_tun = DISABLED 2022-04-19 12:42:44 us=120278 persist_local_ip = DISABLED 2022-04-19 12:42:44 us=120293 persist_remote_ip = DISABLED 2022-04-19 12:42:44 us=120307 persist_key = DISABLED 2022-04-19 12:42:44 us=120323 passtos = DISABLED 2022-04-19 12:42:44 us=120337 resolve_retry_seconds = 1000000000 2022-04-19 12:42:44 us=120352 resolve_in_advance = DISABLED 2022-04-19 12:42:44 us=120367 username = '[UNDEF]' 2022-04-19 12:42:44 us=120382 groupname = '[UNDEF]' 2022-04-19 12:42:44 us=120396 chroot_dir = '[UNDEF]' 2022-04-19 12:42:44 us=120411 cd_dir = '[UNDEF]' 2022-04-19 12:42:44 us=120425 writepid = '[UNDEF]' 2022-04-19 12:42:44 us=120441 up_script = 'up.sh' 2022-04-19 12:42:44 us=120455 down_script = 'down.sh' 2022-04-19 12:42:44 us=120470 down_pre = DISABLED 2022-04-19 12:42:44 us=120484 up_restart = DISABLED 2022-04-19 12:42:44 us=120499 up_delay = DISABLED 2022-04-19 12:42:44 us=120513 daemon = DISABLED 2022-04-19 12:42:44 us=120529 inetd = 0 2022-04-19 12:42:44 us=120542 log = DISABLED 2022-04-19 12:42:44 us=120557 suppress_timestamps = DISABLED 2022-04-19 12:42:44 us=120571 machine_readable_output = DISABLED 2022-04-19 12:42:44 us=120586 nice = 0 2022-04-19 12:42:44 us=120600 verbosity = 4 2022-04-19 12:42:44 us=120616 mute = 0 2022-04-19 12:42:44 us=120629 gremlin = 0 2022-04-19 12:42:44 us=120644 status_file = '[UNDEF]' 2022-04-19 12:42:44 us=120658 status_file_version = 1 2022-04-19 12:42:44 us=120674 status_file_update_freq = 60 2022-04-19 12:42:44 us=120688 occ = ENABLED 2022-04-19 12:42:44 us=120704 rcvbuf = 0 2022-04-19 12:42:44 us=120717 sndbuf = 0 2022-04-19 12:42:44 us=120732 mark = 0 2022-04-19 12:42:44 us=120746 sockflags = 0 2022-04-19 12:42:44 us=120761 fast_io = DISABLED 2022-04-19 12:42:44 us=120775 comp.alg = 1 2022-04-19 12:42:44 us=120791 comp.flags = 0 2022-04-19 12:42:44 us=120805 route_script = '[UNDEF]' 2022-04-19 12:42:44 us=120829 route_default_gateway = '[UNDEF]' 2022-04-19 12:42:44 us=120848 route_default_metric = 0 2022-04-19 12:42:44 us=120862 route_noexec = DISABLED 2022-04-19 12:42:44 us=120877 route_delay = 0 2022-04-19 12:42:44 us=120891 route_delay_window = 30 2022-04-19 12:42:44 us=120907 route_delay_defined = DISABLED 2022-04-19 12:42:44 us=120921 route_nopull = DISABLED 2022-04-19 12:42:44 us=120935 route_gateway_via_dhcp = DISABLED 2022-04-19 12:42:44 us=120951 allow_pull_fqdn = DISABLED 2022-04-19 12:42:44 us=120965 Pull filters: 2022-04-19 12:42:44 us=120981 ignore "route 192.168." 2022-04-19 12:42:44 us=120995 management_addr = '[UNDEF]' 2022-04-19 12:42:44 us=121011 management_port = '[UNDEF]' 2022-04-19 12:42:44 us=121026 management_user_pass = '[UNDEF]' 2022-04-19 12:42:44 us=121042 management_log_history_cache = 250 2022-04-19 12:42:44 us=121056 management_echo_buffer_size = 100 2022-04-19 12:42:44 us=121070 management_write_peer_info_file = '[UNDEF]' 2022-04-19 12:42:44 us=121087 management_client_user = '[UNDEF]' 2022-04-19 12:42:44 us=121103 management_client_group = '[UNDEF]' 2022-04-19 12:42:44 us=121117 management_flags = 0 2022-04-19 12:42:44 us=121132 shared_secret_file = '[UNDEF]' 2022-04-19 12:42:44 us=121146 key_direction = 1 2022-04-19 12:42:44 us=121164 ciphername = 'AES-256-GCM' 2022-04-19 12:42:44 us=121180 ncp_enabled = ENABLED 2022-04-19 12:42:44 us=121194 ncp_ciphers = 'AES-256-GCM:AES-128-GCM' 2022-04-19 12:42:44 us=121209 authname = 'SHA1' 2022-04-19 12:42:44 us=121225 prng_hash = 'SHA1' 2022-04-19 12:42:44 us=121240 prng_nonce_secret_len = 16 2022-04-19 12:42:44 us=121254 keysize = 0 2022-04-19 12:42:44 us=121270 engine = DISABLED 2022-04-19 12:42:44 us=121284 replay = ENABLED 2022-04-19 12:42:44 us=121298 mute_replay_warnings = DISABLED 2022-04-19 12:42:44 us=121315 replay_window = 64 2022-04-19 12:42:44 us=121329 replay_time = 15 2022-04-19 12:42:44 us=121345 packet_id_file = '[UNDEF]' 2022-04-19 12:42:44 us=121359 test_crypto = DISABLED 2022-04-19 12:42:44 us=121376 tls_server = DISABLED 2022-04-19 12:42:44 us=121391 tls_client = ENABLED 2022-04-19 12:42:44 us=121407 ca_file = '[INLINE]' 2022-04-19 12:42:44 us=121421 ca_path = '[UNDEF]' 2022-04-19 12:42:44 us=121438 dh_file = '[UNDEF]' 2022-04-19 12:42:44 us=121454 cert_file = '[INLINE]' 2022-04-19 12:42:44 us=121469 extra_certs_file = '[UNDEF]' 2022-04-19 12:42:44 us=121485 priv_key_file = '[INLINE]' 2022-04-19 12:42:44 us=121499 pkcs12_file = '[UNDEF]' 2022-04-19 12:42:44 us=121514 cipher_list = '[UNDEF]' 2022-04-19 12:42:44 us=121528 cipher_list_tls13 = '[UNDEF]' 2022-04-19 12:42:44 us=121544 tls_cert_profile = '[UNDEF]' 2022-04-19 12:42:44 us=121558 tls_verify = '[UNDEF]' 2022-04-19 12:42:44 us=121574 tls_export_cert = '[UNDEF]' 2022-04-19 12:42:44 us=121588 verify_x509_type = 2 2022-04-19 12:42:44 us=121604 verify_x509_name = 'v303.tct.secp384r1.s01' 2022-04-19 12:42:44 us=121618 crl_file = '[UNDEF]' 2022-04-19 12:42:44 us=121632 ns_cert_type = 0 2022-04-19 12:42:44 us=121648 remote_cert_ku[i] = 65535 2022-04-19 12:42:44 us=121662 remote_cert_ku[i] = 0 2022-04-19 12:42:44 us=121678 remote_cert_ku[i] = 0 2022-04-19 12:42:44 us=121692 remote_cert_ku[i] = 0 2022-04-19 12:42:44 us=121708 remote_cert_ku[i] = 0 2022-04-19 12:42:44 us=121722 remote_cert_ku[i] = 0 2022-04-19 12:42:44 us=121736 remote_cert_ku[i] = 0 2022-04-19 12:42:44 us=121751 remote_cert_ku[i] = 0 2022-04-19 12:42:44 us=121765 remote_cert_ku[i] = 0 2022-04-19 12:42:44 us=121779 remote_cert_ku[i] = 0 2022-04-19 12:42:44 us=121793 remote_cert_ku[i] = 0 2022-04-19 12:42:44 us=121807 remote_cert_ku[i] = 0 2022-04-19 12:42:44 us=121822 remote_cert_ku[i] = 0 2022-04-19 12:42:44 us=121836 remote_cert_ku[i] = 0 2022-04-19 12:42:44 us=121850 remote_cert_ku[i] = 0 2022-04-19 12:42:44 us=121864 remote_cert_ku[i] = 0 2022-04-19 12:42:44 us=121879 remote_cert_eku = 'TLS Web Server Authentication' 2022-04-19 12:42:44 us=121894 ssl_flags = 3264 2022-04-19 12:42:44 us=121908 tls_timeout = 10 2022-04-19 12:42:44 us=121922 renegotiate_bytes = -1 2022-04-19 12:42:44 us=121936 renegotiate_packets = 0 2022-04-19 12:42:44 us=121951 renegotiate_seconds = 0 2022-04-19 12:42:44 us=121965 handshake_window = 60 2022-04-19 12:42:44 us=121979 transition_window = 3600 2022-04-19 12:42:44 us=121993 single_session = DISABLED 2022-04-19 12:42:44 us=122007 push_peer_info = ENABLED 2022-04-19 12:42:44 us=122021 tls_exit = DISABLED 2022-04-19 12:42:44 us=122035 tls_crypt_v2_metadata = '[UNDEF]' 2022-04-19 12:42:44 us=122049 pkcs11_protected_authentication = DISABLED 2022-04-19 12:42:44 us=122063 pkcs11_protected_authentication = DISABLED 2022-04-19 12:42:44 us=122077 pkcs11_protected_authentication = DISABLED 2022-04-19 12:42:44 us=122093 pkcs11_protected_authentication = DISABLED 2022-04-19 12:42:44 us=122106 pkcs11_protected_authentication = DISABLED 2022-04-19 12:42:44 us=122121 pkcs11_protected_authentication = DISABLED 2022-04-19 12:42:44 us=122135 pkcs11_protected_authentication = DISABLED 2022-04-19 12:42:44 us=122149 pkcs11_protected_authentication = DISABLED 2022-04-19 12:42:44 us=122164 pkcs11_protected_authentication = DISABLED 2022-04-19 12:42:44 us=122178 pkcs11_protected_authentication = DISABLED 2022-04-19 12:42:44 us=122192 pkcs11_protected_authentication = DISABLED 2022-04-19 12:42:44 us=122206 pkcs11_protected_authentication = DISABLED 2022-04-19 12:42:44 us=122221 pkcs11_protected_authentication = DISABLED 2022-04-19 12:42:44 us=122234 pkcs11_protected_authentication = DISABLED 2022-04-19 12:42:44 us=122249 pkcs11_protected_authentication = DISABLED 2022-04-19 12:42:44 us=122263 pkcs11_protected_authentication = DISABLED 2022-04-19 12:42:44 us=122278 pkcs11_private_mode = 00000000 2022-04-19 12:42:44 us=122292 pkcs11_private_mode = 00000000 2022-04-19 12:42:44 us=122306 pkcs11_private_mode = 00000000 2022-04-19 12:42:44 us=122321 pkcs11_private_mode = 00000000 2022-04-19 12:42:44 us=122335 pkcs11_private_mode = 00000000 2022-04-19 12:42:44 us=122349 pkcs11_private_mode = 00000000 2022-04-19 12:42:44 us=122364 pkcs11_private_mode = 00000000 2022-04-19 12:42:44 us=122378 pkcs11_private_mode = 00000000 2022-04-19 12:42:44 us=122392 pkcs11_private_mode = 00000000 2022-04-19 12:42:44 us=122406 pkcs11_private_mode = 00000000 2022-04-19 12:42:44 us=122421 pkcs11_private_mode = 00000000 2022-04-19 12:42:44 us=122435 pkcs11_private_mode = 00000000 2022-04-19 12:42:44 us=122449 pkcs11_private_mode = 00000000 2022-04-19 12:42:44 us=122463 pkcs11_private_mode = 00000000 2022-04-19 12:42:44 us=122477 pkcs11_private_mode = 00000000 2022-04-19 12:42:44 us=122491 pkcs11_private_mode = 00000000 2022-04-19 12:42:44 us=122505 pkcs11_cert_private = DISABLED 2022-04-19 12:42:44 us=122519 pkcs11_cert_private = DISABLED 2022-04-19 12:42:44 us=122533 pkcs11_cert_private = DISABLED 2022-04-19 12:42:44 us=122548 pkcs11_cert_private = DISABLED 2022-04-19 12:42:44 us=122562 pkcs11_cert_private = DISABLED 2022-04-19 12:42:44 us=122575 pkcs11_cert_private = DISABLED 2022-04-19 12:42:44 us=122589 pkcs11_cert_private = DISABLED 2022-04-19 12:42:44 us=122603 pkcs11_cert_private = DISABLED 2022-04-19 12:42:44 us=122618 pkcs11_cert_private = DISABLED 2022-04-19 12:42:44 us=122632 pkcs11_cert_private = DISABLED 2022-04-19 12:42:44 us=122646 pkcs11_cert_private = DISABLED 2022-04-19 12:42:44 us=122660 pkcs11_cert_private = DISABLED 2022-04-19 12:42:44 us=122674 pkcs11_cert_private = DISABLED 2022-04-19 12:42:44 us=122688 pkcs11_cert_private = DISABLED 2022-04-19 12:42:44 us=122702 pkcs11_cert_private = DISABLED 2022-04-19 12:42:44 us=122716 pkcs11_cert_private = DISABLED 2022-04-19 12:42:44 us=122731 pkcs11_pin_cache_period = -1 2022-04-19 12:42:44 us=122745 pkcs11_id = '[UNDEF]' 2022-04-19 12:42:44 us=122759 pkcs11_id_management = DISABLED 2022-04-19 12:42:44 us=122775 server_network = 0.0.0.0 2022-04-19 12:42:44 us=122790 server_netmask = 0.0.0.0 2022-04-19 12:42:44 us=122811 server_network_ipv6 = :: 2022-04-19 12:42:44 us=122825 server_netbits_ipv6 = 0 2022-04-19 12:42:44 us=122840 server_bridge_ip = 0.0.0.0 2022-04-19 12:42:44 us=122855 server_bridge_netmask = 0.0.0.0 2022-04-19 12:42:44 us=122870 server_bridge_pool_start = 0.0.0.0 2022-04-19 12:42:44 us=122886 server_bridge_pool_end = 0.0.0.0 2022-04-19 12:42:44 us=122899 ifconfig_pool_defined = DISABLED 2022-04-19 12:42:44 us=122919 ifconfig_pool_start = 0.0.0.0 2022-04-19 12:42:44 us=122936 ifconfig_pool_end = 0.0.0.0 2022-04-19 12:42:44 us=122952 ifconfig_pool_netmask = 0.0.0.0 2022-04-19 12:42:44 us=122965 ifconfig_pool_persist_filename = '[UNDEF]' 2022-04-19 12:42:44 us=122981 ifconfig_pool_persist_refresh_freq = 600 2022-04-19 12:42:44 us=122994 ifconfig_ipv6_pool_defined = DISABLED 2022-04-19 12:42:44 us=123010 ifconfig_ipv6_pool_base = :: 2022-04-19 12:42:44 us=123025 ifconfig_ipv6_pool_netbits = 0 2022-04-19 12:42:44 us=123039 n_bcast_buf = 256 2022-04-19 12:42:44 us=123053 tcp_queue_limit = 64 2022-04-19 12:42:44 us=123067 real_hash_size = 256 2022-04-19 12:42:44 us=123082 virtual_hash_size = 256 2022-04-19 12:42:44 us=123096 client_connect_script = '[UNDEF]' 2022-04-19 12:42:44 us=123110 learn_address_script = '[UNDEF]' 2022-04-19 12:42:44 us=123124 client_disconnect_script = '[UNDEF]' 2022-04-19 12:42:44 us=123139 client_config_dir = '[UNDEF]' 2022-04-19 12:42:44 us=123153 ccd_exclusive = DISABLED 2022-04-19 12:42:44 us=123167 tmp_dir = '/tmp' 2022-04-19 12:42:44 us=123180 push_ifconfig_defined = DISABLED 2022-04-19 12:42:44 us=123196 push_ifconfig_local = 0.0.0.0 2022-04-19 12:42:44 us=123213 push_ifconfig_remote_netmask = 0.0.0.0 2022-04-19 12:42:44 us=123226 push_ifconfig_ipv6_defined = DISABLED 2022-04-19 12:42:44 us=123242 push_ifconfig_ipv6_local = ::/0 2022-04-19 12:42:44 us=123257 push_ifconfig_ipv6_remote = :: 2022-04-19 12:42:44 us=123270 enable_c2c = DISABLED 2022-04-19 12:42:44 us=123285 duplicate_cn = DISABLED 2022-04-19 12:42:44 us=123299 cf_max = 0 2022-04-19 12:42:44 us=123313 cf_per = 0 2022-04-19 12:42:44 us=123327 max_clients = 1024 2022-04-19 12:42:44 us=123341 max_routes_per_client = 256 2022-04-19 12:42:44 us=123355 auth_user_pass_verify_script = '[UNDEF]' 2022-04-19 12:42:44 us=123369 auth_user_pass_verify_script_via_file = DISABLED 2022-04-19 12:42:44 us=123383 auth_token_generate = DISABLED 2022-04-19 12:42:44 us=123398 auth_token_lifetime = 0 2022-04-19 12:42:44 us=123411 auth_token_secret_file = '[UNDEF]' 2022-04-19 12:42:44 us=123425 port_share_host = '[UNDEF]' 2022-04-19 12:42:44 us=123439 port_share_port = '[UNDEF]' 2022-04-19 12:42:44 us=123453 vlan_tagging = DISABLED 2022-04-19 12:42:44 us=123468 vlan_accept = all 2022-04-19 12:42:44 us=123482 vlan_pvid = 1 2022-04-19 12:42:44 us=123496 client = DISABLED 2022-04-19 12:42:44 us=123510 pull = ENABLED 2022-04-19 12:42:44 us=123524 auth_user_pass_file = '/etc/openvpn/userpass.txt' 2022-04-19 12:42:44 us=123540 OpenVPN 2.5.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 16 2022 2022-04-19 12:42:44 us=123562 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10 2022-04-19 12:42:44 us=123769 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 2022-04-19 12:42:44 us=125046 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication 2022-04-19 12:42:44 us=125072 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication 2022-04-19 12:42:44 us=125172 Control Channel MTU parms [ L:1624 D:1182 EF:68 EB:0 ET:0 EL:3 ] 2022-04-19 12:42:44 us=125203 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ] 2022-04-19 12:42:44 us=125234 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1552,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-client' 2022-04-19 12:42:44 us=125246 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1552,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-server' 2022-04-19 12:42:44 us=125279 TCP/UDP: Preserving recently used remote address: [AF_INET]10.1.101.226:55111 2022-04-19 12:42:44 us=125325 Socket Buffers: R=[131072->131072] S=[16384->16384] 2022-04-19 12:42:44 us=125343 Attempting to establish TCP connection with [AF_INET]10.1.101.226:55111 [nonblock] 2022-04-19 12:42:44 us=126596 TCP connection established with [AF_INET]10.1.101.226:55111 2022-04-19 12:42:44 us=128261 TCP_CLIENT link local: (not bound) 2022-04-19 12:42:44 us=128302 TCP_CLIENT link remote: [AF_INET]10.1.101.226:55111 2022-04-19 12:42:44 us=129751 TLS: Initial packet from [AF_INET]10.1.101.226:55111, sid=8bde60a3 975cfe65 2022-04-19 12:42:44 us=138821 VERIFY OK: depth=1, C=00, ST=tct, L=home, O=tctnet, OU=tctnet-secp384r1, CN=CA tct-secp384r1, emailAddress=me@home.org 2022-04-19 12:42:44 us=141162 VERIFY KU OK 2022-04-19 12:42:44 us=141202 Validating certificate extended key usage 2022-04-19 12:42:44 us=141216 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication 2022-04-19 12:42:44 us=141228 VERIFY EKU OK 2022-04-19 12:42:44 us=141239 VERIFY X509NAME OK: C=00, ST=tct, L=home, O=tctnet, OU=tctnet-secp384r1, CN=v303.tct.secp384r1.s01, emailAddress=me@home.org 2022-04-19 12:42:44 us=141251 VERIFY OK: depth=0, C=00, ST=tct, L=home, O=tctnet, OU=tctnet-secp384r1, CN=v303.tct.secp384r1.s01, emailAddress=me@home.org 2022-04-19 12:42:44 us=160332 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, peer certificate: 384 bit EC, curve secp384r1, signature: ecdsa-with-SHA384 2022-04-19 12:42:44 us=160397 [v303.tct.secp384r1.s01] Peer Connection Initiated with [AF_INET]10.1.101.226:55111 2022-04-19 12:42:44 us=161663 Key [AF_INET]10.1.101.226:55111 [0] not initialized (yet), dropping packet. 2022-04-19 12:42:44 us=205964 PUSH: Received control message: 'PUSH_REPLY,block-ipv6,topology subnet,explicit-exit-notify 3,comp-lzo no,compress,route-gateway 10.55.111.225,topology subnet,route 10.7.39.137,ping 0,ping-restart 0,ping 10,ping-restart 30,ifconfig 10.55.111.254 255.255.255.224,peer-id 0,cipher AES-256-GCM' 2022-04-19 12:42:44 us=206185 OPTIONS IMPORT: timers and/or timeouts modified 2022-04-19 12:42:44 us=206386 OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp 2022-04-19 12:42:44 us=206493 OPTIONS IMPORT: compression parms modified 2022-04-19 12:42:44 us=206562 OPTIONS IMPORT: --ifconfig/up options modified 2022-04-19 12:42:44 us=206582 OPTIONS IMPORT: route options modified 2022-04-19 12:42:44 us=206594 OPTIONS IMPORT: route-related options modified 2022-04-19 12:42:44 us=206606 OPTIONS IMPORT: peer-id set 2022-04-19 12:42:44 us=206618 OPTIONS IMPORT: adjusting link_mtu to 1627 2022-04-19 12:42:44 us=206630 OPTIONS IMPORT: data channel crypto options modified 2022-04-19 12:42:44 us=206759 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key 2022-04-19 12:42:44 us=206784 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key 2022-04-19 12:42:44 us=207009 ROUTE_GATEWAY 10.1.101.1/255.255.255.0 IFACE=enp5s0 HWADDR=24:b6:fd:31:bc:ca 2022-04-19 12:42:44 us=207555 TUN/TAP device tunc55111 opened 2022-04-19 12:42:44 us=207609 do_ifconfig, ipv4=1, ipv6=0 2022-04-19 12:42:44 us=207637 /sbin/ip link set dev tunc55111 up mtu 1500 2022-04-19 12:42:44 us=211074 /sbin/ip link set dev tunc55111 up 2022-04-19 12:42:44 us=214581 /sbin/ip addr add dev tunc55111 10.55.111.254/27 2022-04-19 12:42:44 us=220597 up.sh tunc55111 1500 1627 10.55.111.254 255.255.255.224 init ******** * * * UP * * * ******** 2022-04-19 12:42:44 us=221760 /sbin/ip route add 10.7.39.137/32 via 10.55.111.225 2022-04-19 12:42:44 us=223613 Initialization Sequence Completed
Change History (8)
comment:1 follow-up: 2 Changed 2 years ago by
comment:2 Changed 2 years ago by
Replying to Pippin:
Not a "Warning" but a "Note":
2022-04-19 12:42:44 us=123769 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts?
That is probably another bug:
init.c: msg(M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts"); init.c: msg(M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
WARNINGS are warnings not NOTES.
comment:3 Changed 2 years ago by
Not sure I understand the logic here...
/* If a script is used, print appropriate warnings */ if (o->user_script_used) { if (script_security() >= SSEC_SCRIPTS) { msg(M_WARN, "NOTE: the current --script-security setting may allow t his configuration to call user-defined scripts"); } else if (script_security() >= SSEC_PW_ENV) { msg(M_WARN, "WARNING: the current --script-security setting may allo w passwords to be passed to scripts via environmental variables"); }
... but this is really old code, so nothing has "disappeared"... haven't looked more closely why this is what it is, but it seems the sequence of checks is wrong (NOTE for "yeah, scripts", and WARNING for "whee, scripts can see things!")...
comment:4 follow-up: 5 Changed 2 years ago by
The WARNING in the log has disappeared.
comment:5 Changed 2 years ago by
Replying to tct:
The WARNING for
--script-security 3
in the log has disappeared.
Proove by showing an openvpn log with the same config(!) that has it as WARNING. It might have been a different script-security level - as you can see, the WARNING is there, it's just not printed at all levels.
comment:6 Changed 2 years ago by
Resolution: | → worksforme |
---|---|
Status: | new → closed |
Replying to tct:
2022-04-19 12:42:44 us=123769 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
I must have some form of log-file blind-spot syndrome .. the warning I was looking for is right there!
Apologies for the noise.
comment:7 Changed 2 years ago by
Resolution: | worksforme |
---|---|
Status: | closed → reopened |
Re-opened as requested.
Reminder to take a closer look at calling code if
s
Also, make log message a Warning.
comment:8 Changed 2 years ago by
Summary: | Script security warning has disappeared → Script security warnings - Revisit code and decide WARN or Note ? |
---|
Not a "Warning" but a "Note":
?