git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Yawning Angel <yawning@schwanenlied.me>
	Mon, 10 Mar 2014 03:47:58 +0000 (03:47 +0000)
committer	Gert Doering <gert@greenie.muc.de>
	Sun, 13 Apr 2014 18:34:49 +0000 (20:34 +0200)
commit	2903eba5dfe35c981329a833845e24de3882161a
tree	10fa73b98e56c7e460087438ad38635d02f53af9	tree
parent	a95358af543b9106f4ef481e4556d1d03459d058	commit \| diff

Fix SOCKSv5 method selection

So, RFC 1928 doesn't say anything about the METHODS field in the Method
Selection message being ordered in terms of preference or anything, and
the server is free to pick any of the METHODS offered by the client.

Always sending a Method Selection message with NO AUTHENTICATION REQUIRED
and USERNAME/PASSWORD set is broken on two fronts:

* If the OpenVPN client can't handle the server picking USERNAME/PASSWORD
   due to the credentials being missing, it shouldn't offer it to the
server.

* If the OpenVPN client has credentials, then it should always attempt to
   authenticate.  This is a security product.  "You can misconfigure it and
   it will work" is not acceptable.  Setting a username/password when the
   SOCKS server doesn't require/support that as an option is the user not
   configuring it correctly, and should be treated as such.

Also verify that the SOCKS server returned the auth that was requested.

URL: https://github.com/OpenVPN/openvpn/pull/14
Fix trac #377, trac #148
Acked-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20140413130102.GR16637@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8488

Signed-off-by: Gert Doering <gert@greenie.muc.de>