You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
43 lines
1.4 KiB
43 lines
1.4 KiB
10 years ago
|
From 81149fd01897166cee5649d2da3801f2a5a45b5c Mon Sep 17 00:00:00 2001
|
||
|
|
From: Dan Williams <dcbw@redhat.com>
|
||
|
|
Date: Wed, 8 Apr 2015 09:37:56 -0500
|
||
|
|
Subject: [PATCH] core: use a default renegotiation interval of zero (rh
|
||
|
|
#969433)
|
||
|
|
|
||
|
|
Since the client and server do not negotiate options, each side gets
|
||
|
|
to specify its own --reneg-sec to control when each side renegotiates.
|
||
|
|
OpenVPN defaults to 3600, so if the client and server don't agree this
|
||
|
|
causes too-frequent renegotiations.
|
||
|
|
|
||
|
|
This is worse with two-factor authentication, becuase it can mean that
|
||
|
|
the client requests a password/PIN from the user much more often then
|
||
|
|
the server actually wants.
|
||
|
|
|
||
|
|
https://bugzilla.redhat.com/show_bug.cgi?id=969433
|
||
|
|
---
|
||
|
|
src/nm-openvpn-service.c | 8 ++++++++
|
||
|
|
1 file changed, 8 insertions(+)
|
||
|
|
|
||
|
|
diff --git a/src/nm-openvpn-service.c b/src/nm-openvpn-service.c
|
||
|
|
index 8282573..93ced6c 100644
|
||
|
|
--- a/src/nm-openvpn-service.c
|
||
|
|
+++ b/src/nm-openvpn-service.c
|
||
|
|
@@ -1115,6 +1115,14 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin,
|
||
|
|
free_openvpn_args (args);
|
||
|
|
return FALSE;
|
||
|
|
}
|
||
|
|
+ } else {
|
||
|
|
+ /* Either the server and client must agree on the renegotiation
|
||
|
|
+ * interval, or it should be disabled on one side to prevent
|
||
|
|
+ * too-frequent renegotiations, which make two-factor auth quite
|
||
|
|
+ * painful.
|
||
|
|
+ */
|
||
|
|
+ add_openvpn_arg (args, "--reneg-sec");
|
||
|
|
+ add_openvpn_arg (args, "0");
|
||
|
|
}
|
||
|
|
|
||
|
|
if (debug) {
|
||
|
|
--
|
||
|
|
2.1.0
|
||
|
|
|