Cookie auth rejected by ocserv on reconnect
Nikos Mavrogiannopoulos
nmav at gnutls.org
Tue Feb 10 08:03:54 PST 2015
On Sun, Jan 25, 2015 at 8:06 PM, Nikos Mavrogiannopoulos
<nmav at gnutls.org> wrote:
>> ocserv[4622]: main: 121.34.241.154:50274 sending message 'auth cookie
>> reply' to worker
>> ocserv[4688]: worker: 121.34.241.154:50274 received auth reply message
>> (value: 3)
>> ocserv[4688]: worker: 121.34.241.154:50274 error receiving cookie
>> authentication reply
>> ocserv[4688]: worker: 121.34.241.154:50274 failed cookie authentication attempt
>> Is auth cookie somehow affected by my client certificate `cn` and `unit`?
> No. I believe it is a side-effect of the new session control introduced
> due to radius. It seems that sessions in the security module are expired
> sooner than expected, and that's why you notice that issue. I've
> submitted a correction into git, but I'll need to review the whole
> process sometime later.
I did review it and found it overly complex. I've now simplified the
session control, by having the security module check time and decide
the validity of a cookie. That should handle all existing use cases
(there are now tests for them), but if I missed anything let me know.
regards,
Nikos
More information about the openconnect-devel
mailing list