Re: FWD: [PATCH] (Fixed) Support for openvpn --auth option

[Dan Williams <dcbw redhat com>]

On Mon, 2008-11-24 at 22:31 +0100, Robert Vogelgesang wrote:
> Hello,
> 
> two weeks ago I posted the attached message to this list.
> Since then, I received not a single response.  Does really
> nobody care?  Nobody interested in further development of
> the openvpn plugin?

No, just tons of stuff to do :)  Sorry...  see below.

> 	Robert
> 
> email message attachment
> > -------- Forwarded Message --------
> > From: Robert Vogelgesang <vogel users sourceforge net>
> > To: networkmanager-list gnome org
> > Subject: [PATCH] (Fixed) Support for openvpn --auth option
> > Date: Mon, 10 Nov 2008 00:18:39 +0100
> > 
> > Hello everybody,
> > 
> > please find attached the second (and fixed) version of my patch to add
> > support for the --auth option of openvpn to the NetworkManager-openvpn
> > plugin.  The patch is against NetworkManager-openvpn-0.7.0-16.svn4027
> > (Fedora 9).

(rant) Sensible solutions include a negotiation phase where the client
and server agree on a set of parameters *during the process*.  That way,
users don't have to set this crap manually.  Apparently, the OpenVPN
developers aren't interested in making their software actually usable.
The number of options is staggering, but worse than that, you have to
know *exactly* how the server is set up to connect, otherwise you simply
fail.  That's not how you make usable software.

> > My work was triggered by the fact that I tried (and failed) to get a
> > "SSL VPN" connection to an Astaro firewall, using Fedora 9.  The logs
> > showed that Astaro used MD5 HMAC authentication, whereas my Fedora 9
> > system used SHA1 (the default).  So I started hacking...
> > 
> > The attached patch is sufficient to get a working "SSL VPN" connection 
> > to an Astaro firewall.
> > 
> > For minimal impact, I choose to implement the --auth option in the
> > same way as the --cipher option.  Both the "new" --auth and the "old"
> > --cipher options share the following issues:
> > 
> > o	When a non-default value was saved and you want to switch back
> > 	to "Default" later on, then this change does not get saved and
> > 	the non-default value remains in the config.
> > 
> > 	As far as I understand the plugin code, this issue seems to be
> > 	caused by NetworkManager or gconfd, not by the openvpn plugin
> > 	(the hash returned by advanced_dialog_new_hash_from_dialog() does
> > 	not contain the --auth/--cipher value when "Default" was chosen).
> > 
> > 	Is this a known issue?  (bugzilla.gnome.org didn't show anything
> > 	similar for NetworkManager)

That should be handled in nm_gconf_set_stringhash_helper() in
src/gconf-helpers/gconf-helpers.c, where keys not in the hash table get
deleted from GConf.  If the parameter is the default value, it shouldn't
show up in GConf at all, as you see by
advanced_dialog_new_hash_from_dialog() returning a hash table without
that key in the table.  Could you check to see if the non-default value
key is correctly getting removed from GConf by the code in
nm_gconf_set_stringhash_helper()?

> > o	Openvpn supports these options for both static and TLS modes.
> > 	The openvpn plugin for NetworkManager carries the --cipher option
> > 	(and with my patch, the --auth option, too) on the "Certificates
> > 	(TLS)" tab of the "advanced" popup, which is only available when
> > 	using TLS modes and not when using static keys.
> > 
> > 	The easiest fix would be to move the popup-menue(s) (GtkComboBox)
> > 	for --cipher (and --auth) to the "General" tab.  A little bit more
> > 	work, but maybe better for future extensions:  Introduce a new
> > 	tab "Encryption" for these options.  What do you think/prefer?

How about we name it "Security" instead?  I'd take a good look at a
patch that did that.

> > 
> > I'm willing to fix the second issue and to do some more research on the
> > first one if there is a real chance that support for the --auth option
> > of openvpn gets accepted into the NetworkManager distribution.  ;-)

Yeah, that would be great if you could.  Thanks!

Dan