Default client renegotiation interval to zero (rh #969433)
parent
0b30c4423e
commit
1e586a2592
@ -0,0 +1,42 @@
|
|||||||
|
From 81149fd01897166cee5649d2da3801f2a5a45b5c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Dan Williams <dcbw@redhat.com>
|
||||||
|
Date: Wed, 8 Apr 2015 09:37:56 -0500
|
||||||
|
Subject: [PATCH] core: use a default renegotiation interval of zero (rh
|
||||||
|
#969433)
|
||||||
|
|
||||||
|
Since the client and server do not negotiate options, each side gets
|
||||||
|
to specify its own --reneg-sec to control when each side renegotiates.
|
||||||
|
OpenVPN defaults to 3600, so if the client and server don't agree this
|
||||||
|
causes too-frequent renegotiations.
|
||||||
|
|
||||||
|
This is worse with two-factor authentication, becuase it can mean that
|
||||||
|
the client requests a password/PIN from the user much more often then
|
||||||
|
the server actually wants.
|
||||||
|
|
||||||
|
https://bugzilla.redhat.com/show_bug.cgi?id=969433
|
||||||
|
---
|
||||||
|
src/nm-openvpn-service.c | 8 ++++++++
|
||||||
|
1 file changed, 8 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/nm-openvpn-service.c b/src/nm-openvpn-service.c
|
||||||
|
index 8282573..93ced6c 100644
|
||||||
|
--- a/src/nm-openvpn-service.c
|
||||||
|
+++ b/src/nm-openvpn-service.c
|
||||||
|
@@ -1115,6 +1115,14 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin,
|
||||||
|
free_openvpn_args (args);
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
+ } else {
|
||||||
|
+ /* Either the server and client must agree on the renegotiation
|
||||||
|
+ * interval, or it should be disabled on one side to prevent
|
||||||
|
+ * too-frequent renegotiations, which make two-factor auth quite
|
||||||
|
+ * painful.
|
||||||
|
+ */
|
||||||
|
+ add_openvpn_arg (args, "--reneg-sec");
|
||||||
|
+ add_openvpn_arg (args, "0");
|
||||||
|
}
|
||||||
|
|
||||||
|
if (debug) {
|
||||||
|
--
|
||||||
|
2.1.0
|
||||||
|
|
Loading…
Reference in new issue