On 05/04/17 05:34, Simon Matter wrote: >>> Hi, >>> >>> On Tue, Apr 04, 2017 at 08:29:49AM +0200, Simon Matter wrote: >>>> Interesting to see that there is zero interest in this patch here. >>> >>> This is a misinterpretation. >>> >> >> Hi Gert, >> >> Thanks for the explanation, I'll be patient then :) >> >> If it's preferred for the patch to keep it even simpler and compatible the >> current configs, it could be broken down to something like this in init.c: > > I've attached v2 now which works without any config change: > > --reneg-sec n > Renegotiate data channel key after n seconds (default=3600). > > Note that the effective value used here is a per session pseudo- > randomized 25% of n deducted from n. With the default value of > 3600 this results in an effective per session value in the range > of 2701 ... 3600 seconds. >
A different approach could be like so: --reneg-sec 3600 --reneg-sec-1sttime-rand 1|0 (The name here for detail) where --reneg-sec is essentially left alone but --reneg-sec-1sttime-rand does the very first renegotiation at some random time upto the --reneg-sec parameter. After that --reneg-sec is only in play. It could even be done as --rand-reneg 1|0 and that could be set to randomize *all* --reneg-* parameters upto the limit of the --reneg-* in question and then hand control back to the --reneg-* in use after --rand-reneg has executed one time. (Although, I expect only --reneg-sec has such a specific issue) my2c ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
