- mbed TLS builds: minimum RSA key size is now 2048 bits. Shorter keys will
not be accepted, both local and from the peer.
+- --http-proxy-timeout and the static non-changeable socks timeout (5s)
+ have been folded into a "unified" --connect-timeout which covers all
+ steps needed to connect to the server, up to the start of the TLS exchange.
+ The default value has been raised to 120s, to handle slow http/socks
+ proxies graciously. The old "fail TCP fast" behaviour can be achieved by
+ adding "--connect-timeout 10" to the client config.
+
Maintainer-visible changes
--------------------------
.B http\-proxy,
.B http\-proxy\-option,
.B http\-proxy\-retry,
-.B http\-proxy\-timeout,
.B link\-mtu,
.B local,
.B lport,
seconds between connection attempts (default=5).
.\"*********************************************************
.TP
-.B \-\-connect\-timeout n
-For
-.B \-\-proto tcp\-client,
-set connection timeout to
-.B n
-seconds (default=10).
-.\"*********************************************************
-.TP
.B \-\-connect\-retry\-max n
.B n
specifies the number of times all
occurs, simulate a SIGUSR1 reset.
.\"*********************************************************
.TP
-.B \-\-http\-proxy\-timeout n
-Set proxy timeout to
-.B n
-seconds, default=5.
-.\"*********************************************************
-.TP
.B \-\-http\-proxy\-option type [parm]
Set extended HTTP proxy options.
Repeat to set multiple options.
.\"*********************************************************
.TP
.B \-\-server\-poll\-timeout n
-when polling possible remote servers to connect to
-in a round-robin fashion, spend no more than
+.B \-\-connect\-timeout n
+when connecting to a remote server do not wait for more than
.B n
seconds waiting for a response before trying the next server.
-As this only makes sense in client-to-server setups, it cannot
-be used in point-to-point setups using
-.B \-\-secret
-symmetrical key mode.
+The default value is 120s. This timeout includes proxy and TCP
+connect timeouts.
.\"*********************************************************
.TP
.B \-\-explicit\-exit\-notify [n]
{
void check_server_poll_timeout_dowork (struct context *c);
- if (c->options.server_poll_timeout
+ if (c->options.ce.connect_timeout
&& event_timeout_trigger (&c->c2.server_poll_interval, &c->c2.timeval, ETT_DEFAULT))
check_server_poll_timeout_dowork (c);
}
register_signal (c, SIGTERM, "inactive");
}
+int
+get_server_poll_remaining_time (struct event_timeout* server_poll_timeout)
+{
+ update_time();
+ int remaining = event_timeout_remaining(server_poll_timeout);
+ return max_int (0, remaining);
+}
#if P2MP
void
return;
#if P2MP
- check_server_poll_timeout (c);
- if (c->sig->signal_received)
- return;
+ if (c->c2.tls_multi)
+ {
+ check_server_poll_timeout (c);
+ if (c->sig->signal_received)
+ return;
- check_scheduled_exit (c);
- if (c->sig->signal_received)
- return;
+ check_scheduled_exit (c);
+ if (c->sig->signal_received)
+ return;
+ }
#endif
#ifdef ENABLE_OCC
* once for each remaining fragment with this parameter set to false.
*/
void encrypt_sign (struct context *c, bool comp_frag);
-
+int get_server_poll_remaining_time (struct event_timeout* server_poll_timeout);
/**********************************************************************/
/**
c->c2.coarse_timer_wakeup = 0;
}
+/*
+ * Initialise the server poll timeout timer
+ * This timer is used in the http/socks proxy setup so it needs to be setup
+ * before
+ */
+static void
+do_init_server_poll_timeout (struct context *c)
+{
+ update_time ();
+ if (c->options.ce.connect_timeout)
+ event_timeout_init (&c->c2.server_poll_interval, c->options.ce.connect_timeout, now);
+}
+
/*
* Initialize timers
*/
if (c->options.ping_rec_timeout)
event_timeout_init (&c->c2.ping_rec_interval, c->options.ping_rec_timeout, now);
-#if P2MP
- if (c->options.server_poll_timeout)
- event_timeout_init (&c->c2.server_poll_interval, c->options.server_poll_timeout, now);
-#endif
-
if (!deferred)
{
/* initialize connection establishment timer */
#if P2MP
if (auth_retry_get () == AR_NOINTERACT)
sec = 10;
-
-#if 0 /* not really needed because of c->persist.restart_sleep_seconds */
- if (c->options.server_poll_timeout && sec > 1)
- sec = 1;
-#endif
#endif
if (c->persist.restart_sleep_seconds > 0 && c->persist.restart_sleep_seconds > sec)
msg (M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
#endif
-#ifndef CONNECT_NONBLOCK
- if (o->ce.connect_timeout_defined)
- msg (M_WARN, "NOTE: --connect-timeout option is not supported on this OS");
-#endif
-
/* If a script is used, print appropiate warnings */
if (o->user_script_used)
{
c->options.ipchange,
c->plugins,
c->options.resolve_retry_seconds,
- c->options.ce.connect_timeout,
c->options.ce.mtu_discover_type,
c->options.rcvbuf,
c->options.sndbuf,
c->options.mark,
+ &c->c2.server_poll_interval,
sockflags);
}
*/
do_uid_gid_chroot (c, c->c2.did_open_tun);
+ /* initialise connect timeout timer */
+ do_init_server_poll_timeout(c);
+
/* finalize the TCP/UDP socket */
if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
do_init_socket_2 (c);
et->n = (n >= 0) ? n : 0;
}
+/*
+ * Will return the time left for a timeout, this function does not check
+ * if the timeout is actually valid
+ */
+static inline interval_t event_timeout_remaining (struct event_timeout* et)
+{
+ return (int) et->last + et->n - now;
+}
+
/*
* This is the principal function for testing and triggering recurring
* timers and will return true on a timer signal event.
time_t update_timeout_random_component;
struct timeval timeout_random_component;
+ /* Timer for everything up to the first packet from the *OpenVPN* server
+ * socks, http proxy, and tcp packets do not count */
+ struct event_timeout server_poll_interval;
+
/* indicates that the do_up_delay function has run */
bool do_up_ran;
md_ctx_t pulled_options_state;
struct md5_digest pulled_options_digest;
- struct event_timeout server_poll_interval;
-
struct event_timeout scheduled_exit;
int scheduled_exit_signal;
#endif
" p = udp6, tcp6-server, or tcp6-client (ipv6)\n"
"--connect-retry n : For --proto tcp-client, number of seconds to wait\n"
" between connection retries (default=%d).\n"
- "--connect-timeout n : For --proto tcp-client, connection timeout (in seconds).\n"
"--connect-retry-max n : Maximum connection attempt retries, default infinite.\n"
"--http-proxy s p [up] [auth] : Connect to remote host\n"
" through an HTTP proxy at address s and port p.\n"
" determine auth method and query for username/password\n"
" if needed. auto-nct disables weak proxy auth methods.\n"
"--http-proxy-retry : Retry indefinitely on HTTP proxy errors.\n"
- "--http-proxy-timeout n : Proxy timeout in seconds, default=5.\n"
"--http-proxy-option type [parm] : Set extended HTTP proxy options.\n"
" Repeat to set multiple options.\n"
" VERSION version (default=1.0)\n"
" none (default), interact, or nointeract.\n"
"--static-challenge t e : Enable static challenge/response protocol using\n"
" challenge text t, with e indicating echo flag (0|1)\n"
- "--server-poll-timeout n : when polling possible remote servers to connect to\n"
+ "--connect-timeout n : when polling possible remote servers to connect to\n"
" in a round-robin fashion, spend no more than n seconds\n"
" waiting for a response before trying the next server.\n"
#endif
o->ce.af = AF_UNSPEC;
o->ce.bind_ipv6_only = false;
o->ce.connect_retry_seconds = 5;
- o->ce.connect_timeout = 10;
+ o->ce.connect_timeout = 120;
o->connect_retry_max = 0;
o->ce.local_port = o->ce.remote_port = OPENVPN_PORT;
o->verbosity = 1;
#endif
#if P2MP
o->scheduled_exit_interval = 5;
- o->server_poll_timeout = 0;
#endif
#ifdef ENABLE_CRYPTO
o->ciphername = "BF-CBC";
SHOW_STR (auth_method_string);
SHOW_STR (auth_file);
SHOW_BOOL (retry);
- SHOW_INT (timeout);
SHOW_STR (http_version);
SHOW_STR (user_agent);
for (i=0; i < MAX_CUSTOM_HTTP_HEADER && o->custom_headers[i].name;i++)
ho->server = string_alloc(server, gc);
ho->port = port;
ho->retry = true;
- ho->timeout = 5;
if (flags && !strcmp(flags, "nct"))
ho->auth_retry = PAR_NCT;
else
if (options->lladdr && dev != DEV_TYPE_TAP)
msg (M_USAGE, "--lladdr can only be used in --dev tap mode");
- /*
- * Sanity check on TCP mode options
- */
- if (ce->connect_timeout_defined && ce->proto != PROTO_TCP_CLIENT)
- msg (M_USAGE, "--connect-timeout doesn't make sense unless also used with "
- "--proto tcp-client or tcp6-client");
-
/*
* Sanity check on MTU parameters
*/
MUST_BE_UNDEF (pkcs11_id);
MUST_BE_UNDEF (pkcs11_id_management);
#endif
-#if P2MP
- MUST_BE_UNDEF (server_poll_timeout);
-#endif
if (pull)
msg (M_USAGE, err, "--pull");
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
options->ce.connect_retry_seconds = positive_atoi (p[1]);
}
- else if (streq (p[0], "connect-timeout") && p[1] && !p[2])
+ else if ((streq (p[0], "connect-timeout") || streq (p[0], "server-poll-timeout"))
+ && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
options->ce.connect_timeout = positive_atoi (p[1]);
- options->ce.connect_timeout_defined = true;
}
else if (streq (p[0], "connect-retry-max") && p[1] && !p[2])
{
}
else if (streq (p[0], "http-proxy-timeout") && p[1] && !p[2])
{
- struct http_proxy_options *ho;
-
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
- ho = init_http_proxy_options_once (&options->ce.http_proxy_options, &options->gc);
- ho->timeout = positive_atoi (p[1]);
+ msg (M_WARN, "DEPRECATED OPTION: http-proxy-timeout: In OpenVPN 2.4 the timeout until a connection to a "
+ "server is established is managed with a single timeout set by connect-timeout");
}
else if (streq (p[0], "http-proxy-option") && p[1] && !p[4])
{
options->push_peer_info = true;
}
#endif
-#if P2MP
else if (streq (p[1], "SERVER_POLL_TIMEOUT") && p[2])
{
- options->server_poll_timeout = positive_atoi(p[2]);
+ options->ce.connect_timeout = positive_atoi(p[2]);
}
-#endif
else
{
if (streq (p[1], "FORWARD_COMPATIBLE") && p[2] && streq (p[2], "1"))
VERIFY_PERMISSION (OPT_P_PULL_MODE);
options->push_continuation = atoi(p[1]);
}
- else if (streq (p[0], "server-poll-timeout") && p[1] && !p[2])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->server_poll_timeout = positive_atoi(p[1]);
- }
else if (streq (p[0], "auth-user-pass") && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
bool bind_local;
int connect_retry_seconds;
int connect_timeout;
- bool connect_timeout_defined;
struct http_proxy_options *http_proxy_options;
const char *socks_proxy_server;
const char *socks_proxy_port;
const char *auth_user_pass_file;
struct options_pre_pull *pre_pull;
- int server_poll_timeout;
-
int scheduled_exit_interval;
#ifdef ENABLE_CLIENT_CR
#include "httpdigest.h"
#include "ntlm.h"
#include "memdbg.h"
+#include "forward.h"
#define UP_TYPE_PROXY "HTTP Proxy"
{
ALLOC_OBJ_CLEAR_GC (*hpo, struct http_proxy_options, gc);
/* http proxy defaults */
- (*hpo)->timeout = 5;
(*hpo)->http_version = "1.0";
}
return *hpo;
purge_user_pass (&static_proxy_user_pass, true);
}
+#if 0
+/* function only used in #if 0 debug statement */
static void
dump_residual (socket_descriptor_t sd,
int timeout,
msg (D_PROXY, "PROXY HEADER: '%s'", buf);
}
}
+#endif
/*
* Extract the Proxy-Authenticate header from the stream.
socket_descriptor_t sd, /* already open to proxy */
const char *host, /* openvpn server remote */
const char *port, /* openvpn server port */
+ struct event_timeout* server_poll_timeout,
struct buffer *lookahead,
volatile int *signal_received)
{
goto error;
/* receive reply from proxy */
- if (!recv_line (sd, buf, sizeof(buf), p->options.timeout, true, NULL, signal_received))
+ if (!recv_line (sd, buf, sizeof(buf), get_server_poll_remaining_time (server_poll_timeout), true, NULL, signal_received))
goto error;
/* remove trailing CR, LF */
while (true)
{
- if (!recv_line (sd, buf, sizeof(buf), p->options.timeout, true, NULL, signal_received))
+ if (!recv_line (sd, buf, sizeof(buf), get_server_poll_remaining_time (server_poll_timeout), true, NULL, signal_received))
goto error;
chomp (buf);
msg (D_PROXY, "HTTP proxy returned: '%s'", buf);
goto error;
/* receive reply from proxy */
- if (!recv_line (sd, buf, sizeof(buf), p->options.timeout, true, NULL, signal_received))
+ if (!recv_line (sd, buf, sizeof(buf), get_server_poll_remaining_time (server_poll_timeout), true, NULL, signal_received))
goto error;
/* remove trailing CR, LF */
goto error;
/* receive reply from proxy */
- if (!recv_line (sd, buf, sizeof(buf), p->options.timeout, true, NULL, signal_received))
+ if (!recv_line (sd, buf, sizeof(buf), get_server_poll_remaining_time (server_poll_timeout), true, NULL, signal_received))
goto error;
/* remove trailing CR, LF */
/* figure out what kind of authentication the proxy needs */
char *pa = NULL;
const int method = get_proxy_authenticate(sd,
- p->options.timeout,
+ get_server_poll_remaining_time (server_poll_timeout),
&pa,
NULL,
signal_received);
msg (D_LINK_ERRORS, "HTTP proxy returned bad status");
#if 0
/* DEBUGGING -- show a multi-line HTTP error response */
- dump_residual(sd, p->options.timeout, signal_received);
+ dump_residual(sd, get_server_poll_remaining_time (server_poll_timeout), signal_received);
#endif
goto error;
}
/* SUCCESS */
/* receive line from proxy and discard */
- if (!recv_line (sd, NULL, 0, p->options.timeout, true, NULL, signal_received))
+ if (!recv_line (sd, NULL, 0, get_server_poll_remaining_time (server_poll_timeout), true, NULL, signal_received))
goto error;
/*
const char *server;
const char *port;
bool retry;
- int timeout;
# define PAR_NO 0 /* don't support any auth retries */
# define PAR_ALL 1 /* allow all proxy auth protocols */
socket_descriptor_t sd, /* already open to proxy */
const char *host, /* openvpn server remote */
const char *port, /* openvpn server port */
+ struct event_timeout* server_poll_timeout,
struct buffer *lookahead,
volatile int *signal_received);
#include "misc.h"
#include "manage.h"
#include "openvpn.h"
+#include "forward.h"
#include "memdbg.h"
const char *ipchange_command,
const struct plugin_list *plugins,
int resolve_retry_seconds,
- int connect_timeout,
int mtu_discover_type,
int rcvbuf,
int sndbuf,
int mark,
+ struct event_timeout* server_poll_timeout,
unsigned int sockflags)
{
ASSERT (sock);
sock->bind_local = bind_local;
sock->inetd = inetd;
sock->resolve_retry_seconds = resolve_retry_seconds;
- sock->connect_timeout = connect_timeout;
sock->mtu_discover_type = mtu_discover_type;
#ifdef ENABLE_DEBUG
sock->info.bind_ipv6_only = bind_ipv6_only;
sock->info.ipchange_command = ipchange_command;
sock->info.plugins = plugins;
+ sock->server_poll_timeout = server_poll_timeout;
sock->mode = mode;
if (mode == LS_MODE_TCP_ACCEPT_FROM)
do {
socket_connect (&sock->sd,
sock->info.lsa->current_remote->ai_addr,
- sock->connect_timeout,
+ get_server_poll_remaining_time (sock->server_poll_timeout),
sig_info);
if (sig_info->signal_received)
sock->sd,
sock->proxy_dest_host,
sock->proxy_dest_port,
+ sock->server_poll_timeout,
&sock->stream_buf.residual,
&sig_info->signal_received);
}
{
socket_connect (&sock->ctrl_sd,
sock->info.lsa->current_remote->ai_addr,
- sock->connect_timeout,
+ get_server_poll_remaining_time (sock->server_poll_timeout),
sig_info);
if (sig_info->signal_received)
int mode;
int resolve_retry_seconds;
- int connect_timeout;
int mtu_discover_type;
struct socket_buffer_size socket_buffer_sizes;
const char *proxy_dest_host;
const char *proxy_dest_port;
+ /* Pointer to the server-poll to trigger the timeout in function which have
+ * their own loop instead of using the main oop */
+ struct event_timeout* server_poll_timeout;
+
#if PASSTOS_CAPABILITY
/* used to get/set TOS. */
#if defined(TARGET_LINUX)
const char *ipchange_command,
const struct plugin_list *plugins,
int resolve_retry_seconds,
- int connect_timeout,
int mtu_discover_type,
int rcvbuf,
int sndbuf,
int mark,
+ struct event_timeout* server_poll_timeout,
unsigned int sockflags);
void link_socket_init_phase2 (struct link_socket *sock,
projects / thirdparty / openvpn.git / commitdiff
