dcbw pushed to NetworkManager-openvpn (master). "Default client renegotiation interval to zero (rh #969433)"
notifications at fedoraproject.org
notifications at fedoraproject.org
Wed Apr 8 15:08:42 UTC 2015
>From 1cbade2886c3267e4164ed5e53a3fbdd3ad8fdee Mon Sep 17 00:00:00 2001
From: Dan Williams <dcbw at redhat.com>
Date: Wed, 8 Apr 2015 10:09:13 -0500
Subject: Default client renegotiation interval to zero (rh #969433)
diff --git a/0001-core-use-a-default-renegotiation-interval-of-zero-rh.patch b/0001-core-use-a-default-renegotiation-interval-of-zero-rh.patch
new file mode 100644
index 0000000..2ea57b3
--- /dev/null
+++ b/0001-core-use-a-default-renegotiation-interval-of-zero-rh.patch
@@ -0,0 +1,42 @@
+From 81149fd01897166cee5649d2da3801f2a5a45b5c Mon Sep 17 00:00:00 2001
+From: Dan Williams <dcbw at redhat.com>
+Date: Wed, 8 Apr 2015 09:37:56 -0500
+Subject: [PATCH] core: use a default renegotiation interval of zero (rh
+ #969433)
+
+Since the client and server do not negotiate options, each side gets
+to specify its own --reneg-sec to control when each side renegotiates.
+OpenVPN defaults to 3600, so if the client and server don't agree this
+causes too-frequent renegotiations.
+
+This is worse with two-factor authentication, becuase it can mean that
+the client requests a password/PIN from the user much more often then
+the server actually wants.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=969433
+---
+ src/nm-openvpn-service.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/nm-openvpn-service.c b/src/nm-openvpn-service.c
+index 8282573..93ced6c 100644
+--- a/src/nm-openvpn-service.c
++++ b/src/nm-openvpn-service.c
+@@ -1115,6 +1115,14 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin,
+ free_openvpn_args (args);
+ return FALSE;
+ }
++ } else {
++ /* Either the server and client must agree on the renegotiation
++ * interval, or it should be disabled on one side to prevent
++ * too-frequent renegotiations, which make two-factor auth quite
++ * painful.
++ */
++ add_openvpn_arg (args, "--reneg-sec");
++ add_openvpn_arg (args, "0");
+ }
+
+ if (debug) {
+--
+2.1.0
+
diff --git a/NetworkManager-openvpn.spec b/NetworkManager-openvpn.spec
index df84c19..88687d4 100644
--- a/NetworkManager-openvpn.spec
+++ b/NetworkManager-openvpn.spec
@@ -5,7 +5,7 @@ Summary: NetworkManager VPN plugin for OpenVPN
Name: NetworkManager-openvpn
Epoch: 1
Version: 1.0.0
-Release: 2%{?snapshot}%{?dist}
+Release: 3%{?snapshot}%{?dist}
License: GPLv2+
URL: http://www.gnome.org/projects/NetworkManager/
Group: System Environment/Base
@@ -16,6 +16,8 @@ Group: System Environment/Base
# mv NetworkManager-openvpn-0.9.9.0.tar.bz2 NetworkManager-openvpn-0.9.9.0-5afb8eb.tar.bz2
Source0: http://ftp.gnome.org/pub/GNOME/sources/%{name}/1.0/%{name}-%{version}%{?commit:-%{commit}}.tar.xz
+Patch0: 0001-core-use-a-default-renegotiation-interval-of-zero-rh.patch
+
BuildRequires: gtk3-devel
BuildRequires: dbus-devel
BuildRequires: NetworkManager-devel
@@ -58,6 +60,7 @@ the OpenVPN server with NetworkManager (GNOME files).
%prep
%setup -q -n %{name}-%{version}
+%patch0 -p1
%build
if [ ! -f configure ]; then
@@ -95,6 +98,9 @@ rm -f %{buildroot}%{_libdir}/NetworkManager/lib*.la
%{_datadir}/gnome-vpn-properties/openvpn/nm-openvpn-dialog.ui
%changelog
+* Wed Apr 8 2015 Dan Williams <dcbw at redhat.com> - 1:1.0.0-3
+- Default client renegotiation interval to zero (rh #969433)
+
* Mon Feb 23 2015 Lubomir Rintel <lkundrak at v3.sk> - 1:1.0.0-2
- Fix Source url
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/NetworkManager-openvpn.git/commit/?h=master&id=1cbade2886c3267e4164ed5e53a3fbdd3ad8fdee
More information about the scm-commits
mailing list