Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

Wed, 05 Apr 2017 21:10:47 -0700 

2017-04-06 3:26 GMT+05:00 David Sommerseth <
open...@sf.lists.topphemmelig.net>:

> On 05/04/17 23:43, Илья Шипицин wrote:
> > hello!
> >
> > just curious how renegotiation is handled in "https" ?
> > is it "an abbrevated ssl handshake" (RFC 2246) or ... ?
>
> The HTTPS and OpenVPN protocol is not comparable in this regard at all.
> AFAIR, OpenVPN does not make use of the TLS renegotiation possibility at
> all.  So a renegotiation in OpenVPN actually results in a completely new
> and fresh TLS session, not related to previous TLS sessions at all.
>

both HTTPS and OpenVPN are

1) client-->server
2) long running
3) SSL based


they are similar from many point of view

as, renegotiation does occur for https, and we do not observe "hourly" CPU
peaks, I think it worth not reinventing the wheel here



>
>
> --
> kind regards,
>
> David Sommerseth
> OpenVPN Technologies, Inc
>
>
>
> > 2017-04-06 2:39 GMT+05:00 David Sommerseth
> > <open...@sf.lists.topphemmelig.net
> > <mailto:open...@sf.lists.topphemmelig.net>>:
> >
> >     On 05/04/17 23:13, debbie10t wrote:
> >     > I don't believe there is any need to specify "max" because that
> would be
> >     > --reneg-sec as is. Otherwise specify a smaller or larger
> --reneg-sec
> >
> >     I think you, probably without being aware of it, are agreeing to what
> >     the current proposal is:
> >
> >       --reneg-sec max
> >         A renegotiation happens within 'max' seconds, but with a 10%-ish
> >         randomness
> >
> >       --reneg-sec min max
> >         A renegotiation happens within 'min' and 'max' seconds, fully
> >         controllable
> >
> >     So using --reneg-sec 3600 3600, effectively removes the randomness.
> >
> >
> >     --
> >     kind regards,
> >
> >     David Sommerseth
> >     OpenVPN Technologies, Inc
>
>

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to