Default client renegotiation interval to zero (rh #969433)

epel8
Dan Williams 10 years ago
parent 0b30c4423e
commit 1e586a2592

@ -0,0 +1,42 @@
From 81149fd01897166cee5649d2da3801f2a5a45b5c Mon Sep 17 00:00:00 2001
From: Dan Williams <dcbw@redhat.com>
Date: Wed, 8 Apr 2015 09:37:56 -0500
Subject: [PATCH] core: use a default renegotiation interval of zero (rh
#969433)
Since the client and server do not negotiate options, each side gets
to specify its own --reneg-sec to control when each side renegotiates.
OpenVPN defaults to 3600, so if the client and server don't agree this
causes too-frequent renegotiations.
This is worse with two-factor authentication, becuase it can mean that
the client requests a password/PIN from the user much more often then
the server actually wants.
https://bugzilla.redhat.com/show_bug.cgi?id=969433
---
src/nm-openvpn-service.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/nm-openvpn-service.c b/src/nm-openvpn-service.c
index 8282573..93ced6c 100644
--- a/src/nm-openvpn-service.c
+++ b/src/nm-openvpn-service.c
@@ -1115,6 +1115,14 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin,
free_openvpn_args (args);
return FALSE;
}
+ } else {
+ /* Either the server and client must agree on the renegotiation
+ * interval, or it should be disabled on one side to prevent
+ * too-frequent renegotiations, which make two-factor auth quite
+ * painful.
+ */
+ add_openvpn_arg (args, "--reneg-sec");
+ add_openvpn_arg (args, "0");
}
if (debug) {
--
2.1.0

@ -5,7 +5,7 @@ Summary: NetworkManager VPN plugin for OpenVPN
Name: NetworkManager-openvpn Name: NetworkManager-openvpn
Epoch: 1 Epoch: 1
Version: 1.0.0 Version: 1.0.0
Release: 2%{?snapshot}%{?dist} Release: 3%{?snapshot}%{?dist}
License: GPLv2+ License: GPLv2+
URL: http://www.gnome.org/projects/NetworkManager/ URL: http://www.gnome.org/projects/NetworkManager/
Group: System Environment/Base Group: System Environment/Base
@ -16,6 +16,8 @@ Group: System Environment/Base
# mv NetworkManager-openvpn-0.9.9.0.tar.bz2 NetworkManager-openvpn-0.9.9.0-5afb8eb.tar.bz2 # mv NetworkManager-openvpn-0.9.9.0.tar.bz2 NetworkManager-openvpn-0.9.9.0-5afb8eb.tar.bz2
Source0: http://ftp.gnome.org/pub/GNOME/sources/%{name}/1.0/%{name}-%{version}%{?commit:-%{commit}}.tar.xz Source0: http://ftp.gnome.org/pub/GNOME/sources/%{name}/1.0/%{name}-%{version}%{?commit:-%{commit}}.tar.xz
Patch0: 0001-core-use-a-default-renegotiation-interval-of-zero-rh.patch
BuildRequires: gtk3-devel BuildRequires: gtk3-devel
BuildRequires: dbus-devel BuildRequires: dbus-devel
BuildRequires: NetworkManager-devel BuildRequires: NetworkManager-devel
@ -58,6 +60,7 @@ the OpenVPN server with NetworkManager (GNOME files).
%prep %prep
%setup -q -n %{name}-%{version} %setup -q -n %{name}-%{version}
%patch0 -p1
%build %build
if [ ! -f configure ]; then if [ ! -f configure ]; then
@ -95,6 +98,9 @@ rm -f %{buildroot}%{_libdir}/NetworkManager/lib*.la
%{_datadir}/gnome-vpn-properties/openvpn/nm-openvpn-dialog.ui %{_datadir}/gnome-vpn-properties/openvpn/nm-openvpn-dialog.ui
%changelog %changelog
* Wed Apr 8 2015 Dan Williams <dcbw@redhat.com> - 1:1.0.0-3
- Default client renegotiation interval to zero (rh #969433)
* Mon Feb 23 2015 Lubomir Rintel <lkundrak@v3.sk> - 1:1.0.0-2 * Mon Feb 23 2015 Lubomir Rintel <lkundrak@v3.sk> - 1:1.0.0-2
- Fix Source url - Fix Source url

Loading…
Cancel
Save