Default client renegotiation interval to zero (rh #969433)

10 years ago · 1e586a2592
parent 0b30c4423e
commit 1e586a2592
2 changed files with 49 additions and 1 deletions
--- a/0001-core-use-a-default-renegotiation-interval-of-zero-rh.patch
+++ b/0001-core-use-a-default-renegotiation-interval-of-zero-rh.patch
@ -0,0 +1,42 @@
+From 81149fd01897166cee5649d2da3801f2a5a45b5c Mon Sep 17 00:00:00 2001
+From: Dan Williams <dcbw@redhat.com>
+Date: Wed, 8 Apr 2015 09:37:56 -0500
+Subject: [PATCH] core: use a default renegotiation interval of zero (rh
+ #969433)
+
+Since the client and server do not negotiate options, each side gets
+to specify its own --reneg-sec to control when each side renegotiates.
+OpenVPN defaults to 3600, so if the client and server don't agree this
+causes too-frequent renegotiations.
+
+This is worse with two-factor authentication, becuase it can mean that
+the client requests a password/PIN from the user much more often then
+the server actually wants.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=969433
+---
+ src/nm-openvpn-service.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/nm-openvpn-service.c b/src/nm-openvpn-service.c
+index 8282573..93ced6c 100644
+--- a/src/nm-openvpn-service.c
+++ b/src/nm-openvpn-service.c
+@@ -1115,6 +1115,14 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin,
+ 			free_openvpn_args (args);
+ 			return FALSE;
+ 		}
+	} else {
+		/* Either the server and client must agree on the renegotiation
+		 * interval, or it should be disabled on one side to prevent
+		 * too-frequent renegotiations, which make two-factor auth quite
+		 * painful.
+		 */
+		add_openvpn_arg (args, "--reneg-sec");
+		add_openvpn_arg (args, "0");
+ 	}
+ 
+ 	if (debug) {
+-- 
+2.1.0
+
--- a/NetworkManager-openvpn.spec
+++ b/NetworkManager-openvpn.spec
@ -5,7 +5,7 @@ Summary:   NetworkManager VPN plugin for OpenVPN
 Name:      NetworkManager-openvpn
 Epoch:     1
 Version:   1.0.0
-Release:   2%{?snapshot}%{?dist}
+Release:   3%{?snapshot}%{?dist}
 License:   GPLv2+
 URL:       http://www.gnome.org/projects/NetworkManager/
 Group:     System Environment/Base
@ -16,6 +16,8 @@ Group:     System Environment/Base
 # mv NetworkManager-openvpn-0.9.9.0.tar.bz2 NetworkManager-openvpn-0.9.9.0-5afb8eb.tar.bz2
 Source0:   http://ftp.gnome.org/pub/GNOME/sources/%{name}/1.0/%{name}-%{version}%{?commit:-%{commit}}.tar.xz

+Patch0:    0001-core-use-a-default-renegotiation-interval-of-zero-rh.patch
+
 BuildRequires: gtk3-devel
 BuildRequires: dbus-devel
 BuildRequires: NetworkManager-devel
@ -58,6 +60,7 @@ the OpenVPN server with NetworkManager (GNOME files).

 %prep
 %setup -q -n %{name}-%{version}
+%patch0 -p1

 %build
 if [ ! -f configure ]; then
@ -95,6 +98,9 @@ rm -f %{buildroot}%{_libdir}/NetworkManager/lib*.la
 %{_datadir}/gnome-vpn-properties/openvpn/nm-openvpn-dialog.ui

 %changelog
+* Wed Apr  8 2015 Dan Williams <dcbw@redhat.com> - 1:1.0.0-3
+- Default client renegotiation interval to zero (rh #969433)
+
 * Mon Feb 23 2015 Lubomir Rintel <lkundrak@v3.sk> - 1:1.0.0-2
 - Fix Source url