On 03/07/2014 12:10 AM, Yawning Angel wrote:
Looking at the OpenVPN source (src/openvpn/socks.c):
const ssize_t size = send (sd, "\x05\x02\x00\x02", 4, MSG_NOSIGNAL);
The method selection request is hardcoded to always claim support for No Auth, and Username/Password Auth in that order.
This as a OpenVPN bug. It should not be offering to negotiate Username/Password Auth if the user has not provided credentials. And, if the user did happen to provide credentials, then it should not claim that No Auth is acceptable.
Are we sure it's an OpenVPN bug? Cause I'm getting a :
"socks_handshake: server asked for username/login auth but we were not provided any credentials"
which kind of makes sense regarding the methods' priority in socks5.py
And that occurs even when using obfs3 which shouldn't expect any credentials.
Am I missing something?
Options:
Ignore the PASSWD field if the UNAME field is less than 255 characters. This feels somewhat ugly, and has Nasty Surprise potential in the future.
Only treat the SOCKS auth as a username/password when obfsproxy is in managed mode. This forces everyone to pass in args via the command line, and would break the "I want to use obfsproxy to connect to multiple servers via ScrambleSuit use case", so is probably unacceptable.
Leave things as is. Since the UNAME/PASSWD fields are just concatenated (except for the case where the passwd is 1 NUL character, people can set the credentials to something like:
Username: "password=" Password: "<Base32 Encoded k_B here>"
Sorry I should have been more clear about this.
Presently I am leaning toward option 3, but I don't feel too strongly about this as long as Tor continues to work (Which it will regardless of how this is resolved since it will always only request SOCKS auth mechanisms that make sense based on the config file).
Option 3 does work for scramblesuit, cool! :)
So, socks authentication could be used by the OpenVPN client to pass scramblesuit credentials to obfsproxy. Could I somehow run obfsproxy without explicitly setting a scramblesuit secret, as it's needed when running unmanaged?
Greetings, Alex