[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Safe to use old clients (1.5) with new 2.0beta7 server mode?


  • Subject: Re: [Openvpn-users] Safe to use old clients (1.5) with new 2.0beta7 server mode?
  • From: Evan Harris <eharris@xxxxxxxxxxxxx>
  • Date: Tue, 27 Jul 2004 17:20:53 -0500 (CDT)

That's unfortunate.  Will static key support be added to the server mode in
the near future?

I guess I may have to take a shot at hacking it to try every static key in
decrypting a received block until the right one is found, and then cache a
pointer for that key to be used for that host/port combo.  May require
pings, but we're using that already.

Evan


On Tue, 27 Jul 2004, James Yonan wrote:

> On Tuesday 27 July 2004 16:44, Evan Harris wrote:
> > I'm not completely clear, but isn't TLS only used for public key
> > encryption? We're using static keys.  How exactly is a client id gotten in
> > a static key config?
>
> Static key tunnels are stateless and contain no identification handshake.  The
> 2.0 server mode requires TLS mode.
>
> James
>
> >
> > Evan
> >
> > On Tue, 27 Jul 2004, James Yonan wrote:
> > > On Tuesday 27 July 2004 13:55, Evan Harris wrote:
> > > > First attempt was blocked by sourceforge, hopefully this will work.
> > > >
> > > > ---------- Forwarded message ----------
> > > > Date: Tue, 27 Jul 2004 13:03:36 -0500 (CDT)
> > > > From: Evan Harris <eharris@xxxxxxxxxxxxx>
> > > > To: James Yonan <jim@xxxxxxxxx>
> > > > Cc: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> > > > Subject: Re: [Openvpn-users] Safe to use old clients (1.5) with new
> > > >     2.0beta7 server mode?
> > > >
> > > >
> > > > I've been reading a little more of the docs, and came up with another
> > > > issue. How will the 1.5 clients be identified by the 2.0 server?  Will
> > > > the 2.0 server be able to tell which key to use for clients if they
> > > > don't supply the common-name value (as I assume that wasn't in 1.5)?
> > >
> > > The 1.5 clients will identify themselves fine to the 2.0 server.  That is
> > > done during the TLS negotiation.
> > >
> > > The problem is that the 1.5 clients do not understand the "pull"
> > > directive, so they will not send a PUSH_REQUEST message to the server,
> > > and will therefore not get the necessary extra config file parameters
> > > like the ifconfig endpoints for example.
> > >
> > > James
> > >
> > > > Evan
> > > >
> > > > On Tue, 27 Jul 2004, James Yonan wrote:
> > > > > On Friday 23 July 2004 13:45, Evan Harris wrote:
> > > > > > I've been waiting for the server mode a long time so that one port
> > > > > > allowed through firewalls can support many client connections.  I'm
> > > > > > using udp and tun.
> > > > > >
> > > > > > I'm thinking of testing the new stuff with our systems, but I'd
> > > > > > like to know if it is safe/possible to use the new code in server
> > > > > > mode on our vpn server with old 1.5 clients which is what all of
> > > > > > our other systems use. Many of those clients will be very hard to
> > > > > > upgrade, so I'd like to do it over an extended time period.
> > > > >
> > > > > The problem with connecting a 1.5 client to a 2.0 server is that the
> > > > > "pull" directive was only introduced in 2.0 and doesn't exist on 1.5.
> > > > >
> > > > > And without being able to use "pull" on the clients, the utility of
> > > > > the 2.0 server mode is vastly diminished.
> > > > >
> > > > > James
> > > >
> > > > -------------------------------------------------------
> > > > This SF.Net email is sponsored by BEA Weblogic Workshop
> > > > FREE Java Enterprise J2EE developer tools!
> > > > Get your free copy of BEA WebLogic Workshop 8.1 today.
> > > > http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> > > > _______________________________________________
> > > > Openvpn-users mailing list
> > > > Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> > > > https://lists.sourceforge.net/lists/listinfo/openvpn-users
>



____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users