On 05/04/17 18:13, Arne Schwabe wrote: > >>> >>> Where RAND indicates that the first-run timer should run from a random >>> integer from 1 upto the value of --reneg-sec. RAND does not require a >>> user to specify an amount. >> >> But then, why not just do it always and forget about the additional option?
I actually agree, why not simply enable RAND as above *always* >> > > Optional option does not mean that it is disabled by default. If you > don't the randomness you would need to do: > > reneg-sec 3600 3600 > > the optional argument also allows it to fine tune it to your needs. As the reason for --reneg-sec is to specify how long a key should exist, I don't see any further need to make the "random window" be specifically configurable .. The reneg-sec period will remain as specified (def 3600) except for the first run, where --reneg-sec is started from a random time between now and then. There after returning to "normal" with full randomisation of all connected clients --reneg-sec being spread over the *entire* period of --reneg-sec nn and not some unnecessary window. Regards ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
