Opened 4 years ago

Closed 4 years ago

#377 closed Patch submission (fixed)

socks proxy always advertise authentication even if no authentication is provided by user

Reported by: irregulator Owned by: cron2
Priority: major Milestone: release 2.3.4
Component: Networking Version: OpenVPN 2.2.2 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

When trying to use OpenVPN with socks-proxy, OpenVPN client sends as acceptable methods both "no authentication" and "plaintext authentication". This can cause problem when user doesn't want to use any authentication at all. Since OpenVPN advertises both methods disregarding if user has an authentication file, if socks proxy picks plaintext authentication method, connection will fail.

This is implemented in https://github.com/OpenVPN/openvpn/blob/master/src/openvpn/socks.c#L194.

This problem came up when I tried to connect OpenVPN and obfsproxy, a socks proxy that obfuscates traffic and is used for Tor pluggable transports. Although I don't want to use any authentication, OpenVPN client will advertise plaintext authentication as available, and that method will be choosed by obfsproxy, causing the connection to drop.

Yawning gives a better explanation and kindly provided a patch : https://github.com/OpenVPN/openvpn/pull/14

Please review.

Change History (3)

comment:1 Changed 4 years ago by cron2

  • Milestone set to release 2.3.4
  • Owner set to cron2
  • Status changed from new to assigned

Thanks for the patch. I'll give it a close look ASAP.

comment:2 Changed 4 years ago by cron2

see also #148

comment:3 Changed 4 years ago by cron2

  • Resolution set to fixed
  • Status changed from assigned to closed

Patch committed and pushed.

commit 2903eba5dfe35c981329a833845e24de3882161a (master)
commit 34df13fdb65242b81c9006ee8ac83be4cc3f9e09 (release/2.3)

Will be part of OpenVPN 2.3.4.

Even though the bug is opened against OpenVPN 2.2.2, we are very likely not going to do another 2.2.x release - 2.3.x is mature enough that there shouldn't be any reason to stick to 2.2 any longer.

Note: See TracTickets for help on using tickets.