Bug 490971 - nm-openvpn does not support "reneg" options
nm-openvpn does not support "reneg" options
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: NetworkManager-openvpn (Show other bugs)
11
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Dan Williams
Fedora Extras Quality Assurance
: Patch, Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-03-18 13:53 EDT by Richard Monk
Modified: 2009-12-24 15:43 EST (History)
26 users (show)

See Also:
Fixed In Version: 0.7.2-1.fc11
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-12-24 15:43:52 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch for --reneg-sec 0 (701 bytes, patch)
2009-03-20 01:44 EDT, Huzaifa S. Sidhpurwala
no flags Details | Diff
reneg-seconds-gui-bindings (159.88 KB, patch)
2009-08-31 02:11 EDT, Huzaifa S. Sidhpurwala
no flags Details | Diff

  None (edit)
Description Richard Monk 2009-03-18 13:53:44 EDT
Description of problem:
NetworkManager-openvpn does not support the openvpn parameters "reneg-bytes" "reneg-pkts" "reneg-sec".  This causes it to always default to renegotiation of the control channel every hour, even if the server has it set larger.  In the situation of 2-factor auth, the cached password is invalid, and the connection will always die after 1 hour.

Version-Release number of selected component (if applicable):
NetworkManager-openvpn-0.7.0.99-1.fc10.i386

How reproducible:
Configure openvpn server with no reneg time, or a very long one (1 day, etc) and connect to it using nm-openvpn
  
Actual results:
After 1 hour (the default time), the client will issue a renegotiation which will always fail due to 2-factor authentication rendering the cached password incorrect.

Expected results:
Have a configuration option to set the reneg options in the GUI, or provide a "custom options" line so uncommonly used parameters can be added if needs be.
Comment 1 Huzaifa S. Sidhpurwala 2009-03-20 01:44:47 EDT
Created attachment 335957 [details]
patch for --reneg-sec 0
Comment 2 Huzaifa S. Sidhpurwala 2009-03-20 01:45:41 EDT
I think it makes more sense to disable renegotiation on the client side and let the openvpn server decide the interval.
I have submitted a patch for hard coding it.
Comment 6 Matěj Cepl 2009-07-09 05:17:28 EDT
There is nothing to triage here.

Switching to ASSIGNED so that developers have responsibility to do whatever they want to do with it.
Comment 7 Christoph Höger 2009-07-09 05:23:46 EDT
I'll completely leave that decision to Dan Williams, as he is in charge of those stuff.
Comment 10 Dan Williams 2009-07-27 12:44:41 EDT
The correct patch for this issue would involve a UI spinbutton as well, like the "Use a custom port" stuff.

Commit 1c2166b6618f6fb2e581cb40ff1b2e7c1013e5df adds the non-UI bits of reneg secs, but the UI bits still need to be added.

In the "General" tab of the Advanced... dialog, there needs to be a "[x] Use custom renegotiation interval:   [ 12345 ]# seconds" spinbutton just like the "custom port" spinbutton.  We need to load in that value in import too.  Any takers?
Comment 11 Huzaifa S. Sidhpurwala 2009-08-12 07:03:34 EDT
I wrote a patch which puts a check box in there, i can write one with a spinbutton
Comment 12 Huzaifa S. Sidhpurwala 2009-08-31 02:11:22 EDT
Created attachment 359230 [details]
reneg-seconds-gui-bindings

Add gui and bindings for reneg seconds
Comment 13 Huzaifa S. Sidhpurwala 2009-08-31 02:12:05 EDT
Can someone please test my patch and let me know if it works?
Comment 14 Adam Williamson 2009-09-21 01:39:28 EDT
Apparently not:

libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I.. -I/usr/include/libglade-2.0 -I/usr/include/gtk-2.0 -I/usr/include/libxml2 -I/usr/lib64/gtk-2.0/include -I/usr/include/atk-1.0 -I/usr/include/cairo -I/usr/include/pango-1.0 -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/include/pixman-1 -I/usr/include/freetype2 -I/usr/include/libpng12 -I/usr/include/gtk-2.0 -I/usr/lib64/gtk-2.0/include -I/usr/include/atk-1.0 -I/usr/include/cairo -I/usr/include/pango-1.0 -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/include/pixman-1 -I/usr/include/freetype2 -I/usr/include/libpng12 -DORBIT2=1 -pthread -I/usr/include/gconf/2 -I/usr/include/orbit-2.0 -I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/include/NetworkManager -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/include/libnm-glib -I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include -I/usr/include/gnome-keyring-1 -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I../ -DICONDIR=\"/usr/share/pixmaps\" -DGLADEDIR=\"/usr/share/gnome-vpn-properties/openvpn\" -DG_DISABLE_DEPRECATED -DGDK_DISABLE_DEPRECATED -DGNOME_DISABLE_DEPRECATED -DGNOMELOCALEDIR=\"/usr/share/locale\" -DVERSION=\"0.7.996\" -Wall -Werror -std=gnu89 -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wshadow -Wmissing-declarations -Wmissing-prototypes -Wdeclaration-after-statement -Wfloat-equal -Wno-unused-parameter -Wno-sign-compare -fno-strict-aliasing -c import-export.c  -fPIC -DPIC -o .libs/libnm_openvpn_properties_la-import-export.o
auth-helpers.c: In function 'advanced_dialog_new':
auth-helpers.c:1032: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'tmp'
auth-helpers.c:1032: error: 'tmp' undeclared (first use in this function)
auth-helpers.c:1032: error: (Each undeclared identifier is reported only once
auth-helpers.c:1032: error: for each function it appears in.)
cc1: warnings being treated as errors
auth-helpers.c:1047: error: declaration of 'tmp' shadows previous non-variable
auth-helpers.c: In function 'advanced_dialog_new_hash_from_dialog':
auth-helpers.c:1167: error: implicit declaration of function 'gladde_xml_get_widget'
auth-helpers.c:1167: error: assignment makes pointer from integer without a cast
make[2]: *** [libnm_openvpn_properties_la-auth-helpers.lo] Error 1
make[2]: *** Waiting for unfinished jobs....
make[2]: Leaving directory `/home/adamw/rpmbuild/BUILD/NetworkManager-openvpn-0.7.996/properties'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/adamw/rpmbuild/BUILD/NetworkManager-openvpn-0.7.996'
make: *** [all] Error 2
error: Bad exit status from /var/tmp/rpm-tmp.EGuKJO (%build)

I think I'm hitting this bug - my connection to the RH VPN dies every hour. Rather annoying.

-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 15 Adam Williamson 2009-09-21 01:42:33 EDT
if I add the obvious missing ; to the patch, I hit:

cc1: warnings being treated as errors
auth-helpers.c: In function 'advanced_dialog_new_hash_from_dialog':
auth-helpers.c:1167: error: implicit declaration of function 'gladde_xml_get_widget'
auth-helpers.c:1167: error: assignment makes pointer from integer without a cast


-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 16 Adam Williamson 2009-09-21 01:44:00 EDT
ah, and that's another typo (gladde for glade).

-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 17 Adam Williamson 2009-09-21 01:45:12 EDT
with that one corrected, the package builds, but attempting to configure the openvpn connection fails instantly with this in /var/log/messages :

Sep 20 22:44:25 adam kernel: nm-connection-e[1863]: segfault at 0 ip 00007f45cf19f936 sp 00007fff5a9a85a0 error 4 in libnm-openvpn-properties.so[7f45cf199000+d000]

I guess there's another screwup in the patch that the build process doesn't catch...

-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 18 Dan Williams 2009-09-23 05:10:01 EDT
bb54f963cf95d6a723a988f0a2bbb8174a5bd401 (trunk)
6f83797c053000b833f317da4602957c12900188 (0.7.x)

Cleaned up spacing and fixed various bugs (spinbutton wasn't getting enabled when re-editing the connection because the option wasnt' tagged as an advanced-dialog-handled one), and added import capability for the value.
Comment 19 Dan Williams 2009-09-23 05:35:56 EDT
rawhide build: http://koji.fedoraproject.org/koji/taskinfo?taskID=1700346

really have to go to bed now...
Comment 20 Adam Williamson 2009-09-23 12:02:48 EDT
Looks good to me in Rawhide - the option is there and appears to work as advertised.

Leaving the bug open as it's filed on 10; given the RH implications it'd be really good to have this fixed in 10 and 11 as well as Rawhide.

-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 21 Huzaifa S. Sidhpurwala 2009-09-23 12:21:16 EDT
Will back port this patch to F-10, F-11 and EL-5 also
Comment 22 Jeff Layton 2009-10-13 09:32:43 EDT
Any chance we'll see this package in f11's updates-testing repo sometime soon?
Comment 23 Frederik Bijlsma 2009-10-25 15:35:38 EDT
is this in the repos soon?
Comment 24 Richard Monk 2009-10-30 14:44:02 EDT
I just noticed that it is included in nm-openvpn in F12 beta.
Comment 25 Adam Williamson 2009-10-31 01:08:45 EDT
I noted in comment #20 that it's in F12, but this bug is filed against 10, we really ought to fix this in at least 11 and probably 10 as well as 12.

-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 26 Dan Williams 2009-11-02 12:38:23 EST
Yeah, we'll get an update of all the VPN plugins once the NM updates sitting in updates-testing go live.  Or, given the time, I can rebuild them all and attach them to that update, but I'd rather get the NM update out first so we're at least halfway there.
Comment 27 Bug Zapper 2009-11-18 04:11:59 EST
This message is a reminder that Fedora 10 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 10.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '10'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 10's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 10 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 28 Fedora Update System 2009-12-07 13:49:09 EST
NetworkManager-openconnect-0.7.2-1.fc11,NetworkManager-pptp-0.7.2-1.fc11,NetworkManager-openvpn-0.7.2-1.fc11,NetworkManager-vpnc-0.7.2-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/NetworkManager-openconnect-0.7.2-1.fc11,NetworkManager-pptp-0.7.2-1.fc11,NetworkManager-openvpn-0.7.2-1.fc11,NetworkManager-vpnc-0.7.2-1.fc11
Comment 29 Jon Masters 2009-12-08 15:47:21 EST
This update requires a newer NetworkManager, which uses /var/lib/NetworkManager and is not in the default selinux policy. This needs fixing.

Jon.
Comment 30 Fedora Update System 2009-12-09 23:30:04 EST
NetworkManager-openconnect-0.7.2-1.fc11, NetworkManager-pptp-0.7.2-1.fc11, NetworkManager-openvpn-0.7.2-1.fc11, NetworkManager-vpnc-0.7.2-1.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update NetworkManager-openconnect NetworkManager-pptp NetworkManager-openvpn NetworkManager-vpnc'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-13032
Comment 31 Adam Williamson 2009-12-11 16:27:22 EST
setting back to assigned, then...

-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 32 Fedora Update System 2009-12-24 15:43:22 EST
NetworkManager-openconnect-0.7.2-1.fc11, NetworkManager-pptp-0.7.2-1.fc11, NetworkManager-openvpn-0.7.2-1.fc11, NetworkManager-vpnc-0.7.2-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.