Description of problem: NetworkManager-openvpn does not support the openvpn parameters "reneg-bytes" "reneg-pkts" "reneg-sec". This causes it to always default to renegotiation of the control channel every hour, even if the server has it set larger. In the situation of 2-factor auth, the cached password is invalid, and the connection will always die after 1 hour. Version-Release number of selected component (if applicable): NetworkManager-openvpn-0.7.0.99-1.fc10.i386 How reproducible: Configure openvpn server with no reneg time, or a very long one (1 day, etc) and connect to it using nm-openvpn Actual results: After 1 hour (the default time), the client will issue a renegotiation which will always fail due to 2-factor authentication rendering the cached password incorrect. Expected results: Have a configuration option to set the reneg options in the GUI, or provide a "custom options" line so uncommonly used parameters can be added if needs be.
Created attachment 335957 [details] patch for --reneg-sec 0
I think it makes more sense to disable renegotiation on the client side and let the openvpn server decide the interval. I have submitted a patch for hard coding it.
There is nothing to triage here. Switching to ASSIGNED so that developers have responsibility to do whatever they want to do with it.
I'll completely leave that decision to Dan Williams, as he is in charge of those stuff.
The correct patch for this issue would involve a UI spinbutton as well, like the "Use a custom port" stuff. Commit 1c2166b6618f6fb2e581cb40ff1b2e7c1013e5df adds the non-UI bits of reneg secs, but the UI bits still need to be added. In the "General" tab of the Advanced... dialog, there needs to be a "[x] Use custom renegotiation interval: [ 12345 ]# seconds" spinbutton just like the "custom port" spinbutton. We need to load in that value in import too. Any takers?
I wrote a patch which puts a check box in there, i can write one with a spinbutton
Created attachment 359230 [details] reneg-seconds-gui-bindings Add gui and bindings for reneg seconds
Can someone please test my patch and let me know if it works?
Apparently not: libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -I/usr/include/libglade-2.0 -I/usr/include/gtk-2.0 -I/usr/include/libxml2 -I/usr/lib64/gtk-2.0/include -I/usr/include/atk-1.0 -I/usr/include/cairo -I/usr/include/pango-1.0 -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/include/pixman-1 -I/usr/include/freetype2 -I/usr/include/libpng12 -I/usr/include/gtk-2.0 -I/usr/lib64/gtk-2.0/include -I/usr/include/atk-1.0 -I/usr/include/cairo -I/usr/include/pango-1.0 -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/include/pixman-1 -I/usr/include/freetype2 -I/usr/include/libpng12 -DORBIT2=1 -pthread -I/usr/include/gconf/2 -I/usr/include/orbit-2.0 -I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/include/NetworkManager -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/include/libnm-glib -I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include -I/usr/include/gnome-keyring-1 -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I../ -DICONDIR=\"/usr/share/pixmaps\" -DGLADEDIR=\"/usr/share/gnome-vpn-properties/openvpn\" -DG_DISABLE_DEPRECATED -DGDK_DISABLE_DEPRECATED -DGNOME_DISABLE_DEPRECATED -DGNOMELOCALEDIR=\"/usr/share/locale\" -DVERSION=\"0.7.996\" -Wall -Werror -std=gnu89 -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wshadow -Wmissing-declarations -Wmissing-prototypes -Wdeclaration-after-statement -Wfloat-equal -Wno-unused-parameter -Wno-sign-compare -fno-strict-aliasing -c import-export.c -fPIC -DPIC -o .libs/libnm_openvpn_properties_la-import-export.o auth-helpers.c: In function 'advanced_dialog_new': auth-helpers.c:1032: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'tmp' auth-helpers.c:1032: error: 'tmp' undeclared (first use in this function) auth-helpers.c:1032: error: (Each undeclared identifier is reported only once auth-helpers.c:1032: error: for each function it appears in.) cc1: warnings being treated as errors auth-helpers.c:1047: error: declaration of 'tmp' shadows previous non-variable auth-helpers.c: In function 'advanced_dialog_new_hash_from_dialog': auth-helpers.c:1167: error: implicit declaration of function 'gladde_xml_get_widget' auth-helpers.c:1167: error: assignment makes pointer from integer without a cast make[2]: *** [libnm_openvpn_properties_la-auth-helpers.lo] Error 1 make[2]: *** Waiting for unfinished jobs.... make[2]: Leaving directory `/home/adamw/rpmbuild/BUILD/NetworkManager-openvpn-0.7.996/properties' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/home/adamw/rpmbuild/BUILD/NetworkManager-openvpn-0.7.996' make: *** [all] Error 2 error: Bad exit status from /var/tmp/rpm-tmp.EGuKJO (%build) I think I'm hitting this bug - my connection to the RH VPN dies every hour. Rather annoying. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers
if I add the obvious missing ; to the patch, I hit: cc1: warnings being treated as errors auth-helpers.c: In function 'advanced_dialog_new_hash_from_dialog': auth-helpers.c:1167: error: implicit declaration of function 'gladde_xml_get_widget' auth-helpers.c:1167: error: assignment makes pointer from integer without a cast -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers
ah, and that's another typo (gladde for glade). -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers
with that one corrected, the package builds, but attempting to configure the openvpn connection fails instantly with this in /var/log/messages : Sep 20 22:44:25 adam kernel: nm-connection-e[1863]: segfault at 0 ip 00007f45cf19f936 sp 00007fff5a9a85a0 error 4 in libnm-openvpn-properties.so[7f45cf199000+d000] I guess there's another screwup in the patch that the build process doesn't catch... -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers
bb54f963cf95d6a723a988f0a2bbb8174a5bd401 (trunk) 6f83797c053000b833f317da4602957c12900188 (0.7.x) Cleaned up spacing and fixed various bugs (spinbutton wasn't getting enabled when re-editing the connection because the option wasnt' tagged as an advanced-dialog-handled one), and added import capability for the value.
rawhide build: http://koji.fedoraproject.org/koji/taskinfo?taskID=1700346 really have to go to bed now...
Looks good to me in Rawhide - the option is there and appears to work as advertised. Leaving the bug open as it's filed on 10; given the RH implications it'd be really good to have this fixed in 10 and 11 as well as Rawhide. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers
Will back port this patch to F-10, F-11 and EL-5 also
Any chance we'll see this package in f11's updates-testing repo sometime soon?
is this in the repos soon?
I just noticed that it is included in nm-openvpn in F12 beta.
I noted in comment #20 that it's in F12, but this bug is filed against 10, we really ought to fix this in at least 11 and probably 10 as well as 12. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers
Yeah, we'll get an update of all the VPN plugins once the NM updates sitting in updates-testing go live. Or, given the time, I can rebuild them all and attach them to that update, but I'd rather get the NM update out first so we're at least halfway there.
This message is a reminder that Fedora 10 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 10. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '10'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 10's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 10 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
NetworkManager-openconnect-0.7.2-1.fc11,NetworkManager-pptp-0.7.2-1.fc11,NetworkManager-openvpn-0.7.2-1.fc11,NetworkManager-vpnc-0.7.2-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/NetworkManager-openconnect-0.7.2-1.fc11,NetworkManager-pptp-0.7.2-1.fc11,NetworkManager-openvpn-0.7.2-1.fc11,NetworkManager-vpnc-0.7.2-1.fc11
This update requires a newer NetworkManager, which uses /var/lib/NetworkManager and is not in the default selinux policy. This needs fixing. Jon.
NetworkManager-openconnect-0.7.2-1.fc11, NetworkManager-pptp-0.7.2-1.fc11, NetworkManager-openvpn-0.7.2-1.fc11, NetworkManager-vpnc-0.7.2-1.fc11 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update NetworkManager-openconnect NetworkManager-pptp NetworkManager-openvpn NetworkManager-vpnc'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-13032
setting back to assigned, then... -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers
NetworkManager-openconnect-0.7.2-1.fc11, NetworkManager-pptp-0.7.2-1.fc11, NetworkManager-openvpn-0.7.2-1.fc11, NetworkManager-vpnc-0.7.2-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.