Hi, Initially I've created this RFE but have been told to send it to the devel list instead:
https://community.openvpn.net/openvpn/ticket/865 Unfortunately I'm not a developer and have never used git so please bear with me as I send a classic patch to the list. As suggested by user "syzzer" I also tried to improve the patch and here it is: -------%<--------------------------------------------------------------- While we were suffering from the "TLS Renegotiation Slowdown" bug here https://community.openvpn.net/openvpn/ticket/854 we realized that there is still room for improvement in our use case. It appears that TLS renegotiation is getting more and more expensive in terms of CPU cycles with recent changes for more security. To make things worse, we realized that most renegotiation procedures took place at almost the same time and increased the CPU load too much during these periods. That's especially true on large, multi-instance openvpn setups. I've created attached patch to add a per session pseudo-random component to the --reneg-sec intervals so that renegotiation is evenly spread over time. It is configured by simply adding a second value to --reneg-sec as described in the --help text: --reneg-sec n [r] : Renegotiate data chan. key after n seconds default=3600) and if r is specified, add a per session pseudo-random component in the range of 1 ... r to n (default=0). Note that the patch also slightly changes the log output to show the sec value in the same way as the bytes/pkts values: TLS: soft reset sec=3084/3084 bytes=279897/-1 pkts=1370/0 -------%<--------------------------------------------------------------- The patch is tested and seems to work well in my environment. As always, comments are very welcome. Would be nice to have this patch accepted and included in OpenVPN 2.4.2. Regards, Simon
openvpn-2.4.1-reneg-sec_random.patch
Description: Binary data
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
