Misleading error - "Username/password do not match"

[Alex Morris]

With OpenVPN 2.4.5 as a server, and OpenVPN Connect 3.0.3 running on Oreo 8.0.0 (these version numbers might or might not be relevant; they're what I'm running), you might encounter an error which will result in having less hair as you pull it out in frustration.

If your OpenVPN server is configured to use CCD-related directives, but there isn't a corresponding file on the VPN server which matches your Android device's CN, then the connection attempt will fail with the not-at-all-obvious error "Username/password do not match" instead of a more sensible CCD-related error message.

Just a heads-up in case anyone else is fiddling with OpenVPN on Android and has CCD configured on the VPN server.

[TinCanTech]

Openvpn does not return any identifiable data regarding the nature of an authentication error.

The client interprets that as username/password failed .. in this case.

It is a good security measure ..

[Alex Morris]

The Windows and Linux client error messages are more helpful than the Android client error messages. I appreciate that good security doesn't give potential adversaries more information than is required; however, good security also doesn't depend on what information is given to potential adversaries.

I disagree with the "security through obscurity" principle; all it does it slow down the adversary briefly without offering anything remotely resembling actual defence against intrusion. As an example, if an adversary is stymied by the "Username/password do not match" error, all he or she has to do is Google the "Username/password do not match" message and this very thread will turn up in the search results, revealing the existence of CCD. At which point the adversary will know that CCD might be in play.

[TinCanTech]

I disagree with the "security through obscurity" principle

I knew you would say that ... technically this is not security through obscurity ..

If you disagree then take it up with the developers ..
I am sure they will explain why (on this occasion) you are wrong.

[Alex Morris]

Indeed they might. They'd be wrong - security through obscurity is always wrong, by the simple fact that it does not ever work - but they're welcome to try.

But the developers aren't the only ones with opinions on the subject. I'm always willing to learn from anyone who can cogently reason. When the facts change, so does my opinion. I'm not a Republican, after all.

If you genuinely believe that the approach evinced by the Android client - but not, curiously, the Windows or Linux clients - is the correct one, that a misleading error message is right and proper, then please elaborate. You might just sway me.

[TinCanTech]

I have asked if a developer would be prepared to comment .. for now I shall leave it there -- regards

Update the thread if you get no further replies but give it a day or so .. they are very busy.

[dazo]

This behaviour (rejecting clients when no CCD file exists) is not the default behaviour but should be related to the use of --ccd-exclusive in the server configuration. The man page says:

Code: Select all

       --ccd-exclusive
              Require, as a condition of authentication, that a connecting
              client has a --client-config-dir file.

So this implies that this is considered as a simplified authentication. Hence the AUTH_FAILED message is appropriate - Authentication did fail. OpenVPN 2.x generally do easily not support a fine-grained response. Plus there are many reasons why not to give a too detailed response when authentication fails.

But I will agree that username/password failed is a bit too narrow interpretation of "authentication failed". This response is most commonly used with username/password, but not strictly related to username/password authentication. And this interpretation happens in the OpenVPN Connect client. I will follow up that with the developers internally to not mislead the end-user.