From 1e586a25927256352e85eb17c983ed4ca20573a5 Mon Sep 17 00:00:00 2001 From: Dan Williams Date: Wed, 8 Apr 2015 10:08:12 -0500 Subject: [PATCH] Default client renegotiation interval to zero (rh #969433) --- ...lt-renegotiation-interval-of-zero-rh.patch | 42 +++++++++++++++++++ NetworkManager-openvpn.spec | 8 +++- 2 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 0001-core-use-a-default-renegotiation-interval-of-zero-rh.patch diff --git a/0001-core-use-a-default-renegotiation-interval-of-zero-rh.patch b/0001-core-use-a-default-renegotiation-interval-of-zero-rh.patch new file mode 100644 index 0000000..2ea57b3 --- /dev/null +++ b/0001-core-use-a-default-renegotiation-interval-of-zero-rh.patch @@ -0,0 +1,42 @@ +From 81149fd01897166cee5649d2da3801f2a5a45b5c Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Wed, 8 Apr 2015 09:37:56 -0500 +Subject: [PATCH] core: use a default renegotiation interval of zero (rh + #969433) + +Since the client and server do not negotiate options, each side gets +to specify its own --reneg-sec to control when each side renegotiates. +OpenVPN defaults to 3600, so if the client and server don't agree this +causes too-frequent renegotiations. + +This is worse with two-factor authentication, becuase it can mean that +the client requests a password/PIN from the user much more often then +the server actually wants. + +https://bugzilla.redhat.com/show_bug.cgi?id=969433 +--- + src/nm-openvpn-service.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/nm-openvpn-service.c b/src/nm-openvpn-service.c +index 8282573..93ced6c 100644 +--- a/src/nm-openvpn-service.c ++++ b/src/nm-openvpn-service.c +@@ -1115,6 +1115,14 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin, + free_openvpn_args (args); + return FALSE; + } ++ } else { ++ /* Either the server and client must agree on the renegotiation ++ * interval, or it should be disabled on one side to prevent ++ * too-frequent renegotiations, which make two-factor auth quite ++ * painful. ++ */ ++ add_openvpn_arg (args, "--reneg-sec"); ++ add_openvpn_arg (args, "0"); + } + + if (debug) { +-- +2.1.0 + diff --git a/NetworkManager-openvpn.spec b/NetworkManager-openvpn.spec index df84c19..88687d4 100644 --- a/NetworkManager-openvpn.spec +++ b/NetworkManager-openvpn.spec @@ -5,7 +5,7 @@ Summary: NetworkManager VPN plugin for OpenVPN Name: NetworkManager-openvpn Epoch: 1 Version: 1.0.0 -Release: 2%{?snapshot}%{?dist} +Release: 3%{?snapshot}%{?dist} License: GPLv2+ URL: http://www.gnome.org/projects/NetworkManager/ Group: System Environment/Base @@ -16,6 +16,8 @@ Group: System Environment/Base # mv NetworkManager-openvpn-0.9.9.0.tar.bz2 NetworkManager-openvpn-0.9.9.0-5afb8eb.tar.bz2 Source0: http://ftp.gnome.org/pub/GNOME/sources/%{name}/1.0/%{name}-%{version}%{?commit:-%{commit}}.tar.xz +Patch0: 0001-core-use-a-default-renegotiation-interval-of-zero-rh.patch + BuildRequires: gtk3-devel BuildRequires: dbus-devel BuildRequires: NetworkManager-devel @@ -58,6 +60,7 @@ the OpenVPN server with NetworkManager (GNOME files). %prep %setup -q -n %{name}-%{version} +%patch0 -p1 %build if [ ! -f configure ]; then @@ -95,6 +98,9 @@ rm -f %{buildroot}%{_libdir}/NetworkManager/lib*.la %{_datadir}/gnome-vpn-properties/openvpn/nm-openvpn-dialog.ui %changelog +* Wed Apr 8 2015 Dan Williams - 1:1.0.0-3 +- Default client renegotiation interval to zero (rh #969433) + * Mon Feb 23 2015 Lubomir Rintel - 1:1.0.0-2 - Fix Source url