Cookie auth rejected by ocserv on reconnect

Kevin Cernekee cernekee at gmail.com
Tue Feb 10 08:22:06 PST 2015


On Tue, Feb 10, 2015 at 8:03 AM, Nikos Mavrogiannopoulos
<nmav at gnutls.org> wrote:
> On Sun, Jan 25, 2015 at 8:06 PM, Nikos Mavrogiannopoulos
> <nmav at gnutls.org> wrote:
>>> ocserv[4622]: main: 121.34.241.154:50274 sending message 'auth cookie
>>> reply' to worker
>>> ocserv[4688]: worker: 121.34.241.154:50274 received auth reply message
>>> (value: 3)
>>> ocserv[4688]: worker: 121.34.241.154:50274 error receiving cookie
>>> authentication reply
>>> ocserv[4688]: worker: 121.34.241.154:50274 failed cookie authentication attempt
>>> Is auth cookie somehow affected by my client certificate `cn` and `unit`?
>> No. I believe it is a side-effect of the new session control introduced
>> due to radius. It seems that sessions in the security module are expired
>> sooner than expected, and that's why you notice that issue. I've
>> submitted a correction into git, but I'll need to review the whole
>> process sometime later.
>
> I did review it and found it overly complex. I've now simplified the
> session control, by having the security module check time and decide
> the validity of a cookie. That should handle all existing use cases
> (there are now tests for them), but if I missed anything let me know.

Hmm, I just did a quick network roaming test with the head of tree,
and on reconnect (wifi->3G) ocserv assigned a different tunnel IPv4
address.  I did not see this with the earlier rev.

This is for a user who doesn't have explicit-ipv4 set (obviously).

I'll email you a debug log if you can't reproduce it.



More information about the openconnect-devel mailing list