Endian Bugtracker
Endian Issue Tracker





Please see now our new Bugtracker system: JIRA








View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0000411Endian FirewallInput Validationpublic2008-01-03 23:442010-09-21 21:08
Reporteraarond725 
Assigned To 
PrioritynormalSeverityminorReproducibilityalways
StatusacknowledgedResolutionopen 
PlatformOSOS Version
Product Version2.1.2 
Target VersionfutureFixed in Version 
Summary0000411: OpenVPN fails authentication with password containing "$$"
DescriptionNot sure if this is in the OpenVPN client, the OpenVPN server, or the web interface of Endian Firewall.

I have an Endian Firewall Community release 2.1.2 set up as an OpenVPN server. Using the web interface of the firewall, I create a user "test" with password "test$". I am able to succesfully connect remotely via OpenVPN GUI 1.0.3.

If I change the password to "test$$", I get an AUTH_FAILED message when trying to connect via OpenVPN GUI 1.0.3.
  
I think the two dollar signs ($$) might be some sort of special character, or perhaps they are getting escaped. There might be other special characters that do not work, but I haven't experimented.

The workaround is not to use "$$" in the password.
Additional InformationHere is the OpenVPN log from my client:

Thu Jan 03 13:52:20 2008 VERIFY OK: depth=1, /C=IT/O=efw/CN=efw_CA
Thu Jan 03 13:52:20 2008 VERIFY OK: depth=0, /C=IT/O=efw/CN=127.0.0.1
Thu Jan 03 13:52:20 2008 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Jan 03 13:52:20 2008 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jan 03 13:52:20 2008 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Jan 03 13:52:20 2008 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jan 03 13:52:20 2008 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Jan 03 13:52:20 2008 [127.0.0.1] Peer Connection Initiated with 123.123.123.123:1194
Thu Jan 03 13:52:21 2008 SENT CONTROL [127.0.0.1]: 'PUSH_REQUEST' (status=1)
Thu Jan 03 13:52:21 2008 AUTH: Received AUTH_FAILED control message
Thu Jan 03 13:52:21 2008 TCP/UDP: Closing socket
Thu Jan 03 13:52:21 2008 SIGTERM[soft,auth-failure] received, process exiting
Thu Jan 03 13:52:21 2008 OpenVPN 2.0.5 Win32-MinGW [SSL] [LZO] built on Nov 2 2005
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
(0000736)
peter-endian (administrator)
2008-01-08 13:13

yes, $ identifies a variable name in perl, so the GUI writes down the password wrongly. there are more special characters which will not work, like @, %
I think there is also another issue with openvpn itself with special characters.

In 2.2 we disallow these characters. It's a temporary solution..

- Issue History
Date Modified Username Field Change
2008-01-03 23:44 aarond725 New Issue
2008-01-03 23:44 aarond725 Status new => assigned
2008-01-03 23:44 aarond725 Assigned To => peter-endian
2008-01-08 13:13 peter-endian Note Added: 0000736
2009-11-25 18:47 peter-endian Target Version => future
2010-02-04 10:58 peter-endian Relationship added related to 0002653
2010-09-21 20:13 peter-endian Assigned To peter-endian =>
2010-09-21 20:13 peter-endian Status assigned => acknowledged
2010-09-21 21:08 peter-endian Category Network related (VPN, uplinks) => Input Validation

Copyright © 2005-2008 Endian, SRL. All rights reserved.


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker