Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞
Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ

When is a "Warning" a big deal?

Looking for assistance with a cryptostorm connection issue? Post here & we'll help out. Also: if you're not sure where to post, do so here & we'll move things around as needed. Also: for quickest support, email our oddly calm & easygoing support reps at [email protected] :)

Topic Author
onyx
Posts: 5
Joined: Fri Jan 02, 2015 5:48 pm

When is a "Warning" a big deal?

Postby onyx » Sun Jan 04, 2015 12:50 pm

It's all good, really! I'm loving my new toy to bits...

So, I'm just not sure there's reason for alarm when I see "WARNING: This configuration may cache passwords in memory", but I guess it's worthy of an inquiry...

The message appears in the widget/log-in window with what I presume is some sort of code (that'd be weird) going by very quickly during/after connection.
~ the warning does not appear at any other time during the connection log (or whatever that is called in the window that I see) :crazy:
~ it is listed just *after* the two UDPv4 links do their thing - and an initial packet is sent;
~ then it's right *before* VERIFY "ok"
... (if that helps) ...

There is, however, a solution offered up with: "use the auth-nocache option to prevent this".

...But I don't see an option like that anywhere under Options. :D
So. Thanks if anyone can figure it out.

User avatar

Fermi
ForumHelper
Posts: 174
Joined: Tue Jun 17, 2014 11:42 am

Re: When is a "Warning" a big deal?

Postby Fermi » Sun Jan 04, 2015 2:10 pm

Hi Onyx,

first of all this is expected behaviour. This prevents having to provide the password each time a renegotiation takes place. Cryptostorm rekeys every 1200s or 20 minutes.

Below you'll find some deeper explanation (note: the hourly renegotiation needs to be replaced by 1200s).

Code: Select all

OpenVPN uses different session constructs for SSL/TLS key state, and
tunnel state.   This is so that you can construct a long-term tunnel,
but still have the underlying SSL/TLS session restart and renegotiate
every hour.  Consider this a feature -- you get the usability of a
long-term tunnel, with the security of frequent rekeying of session
keys.  Now of course if those hourly renegotiations require end-user
input as part of a two-factor approach, then it potentially becomes a
hassle -- you might want to recalibrate the authentication interval with
--reneg-sec.

So when you ask "if it occurs over the established session is there
really a need to re-auth the user when exchanging new keys?", the answer
is yes, because the reneg-sec parameter tells OpenVPN the maximum
allowable lifetime for an established SSL/TLS session before it
expires.  Now it's possible to have the OpenVPN client daemon cache
passwords (this is the default, but can be disable with --auth-nocache),
so that when the SSL/TLS renegotiation occurs, the client daemon can
resubmit the cached password, rather than bothering the user to reenter
it.


The warning means that it would be theoretically possible that someone could steal your VPN password if he had access to your (virtual) memory.
Hereby noting that the Cryptostorm password is no secret and can have any value, as long as it is not empty ... .
So this really is a warning and nothing to worry about.

Regards,

/Fermi

User avatar

cryptostorm_support
ForumHelper
Posts: 296
Joined: Sat Jan 26, 2013 4:31 am
Contact:

Re: When is a "Warning" a big deal?

Postby cryptostorm_support » Sun Jan 04, 2015 9:46 pm

Very well said, Fermi
cryptostorm_support shared support team forum account
PLEASE DON'T SEND PRIVATE MESSAGES with support questions!
--> feel free to use any of our other contact channels, or post in the support forum
cryptostorm: structurally anonymous, token-based, unlimited ☂ bandwidth, opensource, darknet data security for everyone!
keybase.io validatorsonename.io validatorsPGP key @ MITnetwork statuscryptostorm github
support team bitmessage address: BM-2cTMH8K5JnjbfSALjZtSkRWCLfc3Tr8GBV
support team email: [email protected]
live chat support: #cryptostorm


Topic Author
onyx
Posts: 5
Joined: Fri Jan 02, 2015 5:48 pm

Re: When is a "Warning" a big deal?

Postby onyx » Tue Jan 06, 2015 1:44 pm

Thank you, Fermi.
Good job explaining so I can understand. If it makes sense to me, then "Very well said" indeed...

Wasn't too worried, as I've been known to ignore warnings on occasion :-)

"Life isn't about waiting for the Storm to pass, it's about learning to dance in the rain." ~ author unknown

(Just a little offering of gratitude for your time & all the great work you do.)
All the best <3


Return to “member support & tech assistance”

Who is online

Users browsing this forum: YaCy [Bot] and 4 guests

Login