Hi James,

Thanks for getting back to me.

I was starting to wonder the same myself, but when I found this thread

http://article.gmane.org/gmane.network.openvpn.user/28105

I thought I must be missing something.

So if OpenVPN always uses a new session, what would be the point of
adding an option to disable renegotiation at the server side?


Cheers,

Dunc


James Yonan wrote:
> OpenVPN uses a fresh SSL/TLS session for each of its mid-session
> renegotiations.  This means that when you see:
> 
>   TLS: soft reset sec=0 bytes=314/0 pkts=6/0
> 
> OpenVPN is actually creating a brand new SSL/TLS session.  So the
> important point here is that OpenVPN does not rely on the session
> renegotiation capability that is built into SSL/TLS, and therefore if
> OpenVPN is linked against an OpenSSL library that disables SSL/TLS
> renegotiation, there should be no loss of functionality.
> 
> James
> 
> Dunc wrote:
>> Hi all,
>>
>> Apologies in advance if I'm just not understanding something here.
>>
>> Following on from the recent SSL renegotiation problem, we're assessing
>> what we should do with all our SSL services, and as we use OpenVPN in
>> several places, this is on the list.
>>
>> I thought that OpenVPN does renegotiations when re-keying, so at first I
>> thought I'd try and turn it off at the server end. From reading the docs
>> and testing I now know that it's not good enough as by default clients
>> will want to re-key after 1 hour unless it is turned off in the client
>> config too.
>>
>> It might be hard to ensure that all our customers adjust their config
>> properly, so I'd rather deal with this at the server end only, so my
>> next thought was to install openssl-0.9.8l which bans renegotiation. I
>> figured this would make the VPN drop once an hour, but figured that's
>> not so bad in the grand scheme of things, and if it's really a problem
>> for anyone we can fix it by having them adjust the client config. This
>> was round seems more favourable as I can be sure renegotiations are
>> disabled, and work around the fallout.
>>
>> So, I installed the latest openssl on a test box, and compiled openvpn.
>> I set the reneg-sec option to 40s on my client and fired up the VPN,
>> fully expecting it to bounce after 40s. Instead, what I see is this
>> message in the logs:-
>>
>> Nov 11 14:13:51 2009 us=763149 TLS: soft reset sec=0 bytes=314/0 pkts=6/0
>>
>> and then both ends seem to agree on some new crypto, and everything
>> carries on.
>>
>>
>> At first I thought maybe what OpenVPN does isn't the same as SSL
>> renegotiation and I had no need to worry anyway, but then I found this
>> thread...
>>
>> http://article.gmane.org/gmane.network.openvpn.user/28105
>>
>> where there is discussion about adding an option to openvpn to disable
>> it, so I now think I should indeed be concerned, but I must be missing
>> something obvious, and wondered if anybody here can help me.
>>
>> I've checked with openssl s_server and s_client that my new openssl does
>> indeed ban renegotiation, so I wonder exactly what OpenVPN is doing
>> during rekeying.
>>
>> Thanks in advance if anyone can shed light on this for me, and once
>> again sorry if I'm just misunderstanding, which is quite possible :-)
>>
>> Cheers,
>>
>> Dunc
>>
>> ------------------------------------------------------------------------------
>>
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>> 30-Day trial. Simplify your report design, integration and deployment
>> - and focus on what you do best, core application coding. Discover
>> what's new with
>> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
>> _______________________________________________
>> Openvpn-devel mailing list
>> Openvpn-devel@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Reply via email to