Hi, On 01/01/18 20:30, Steffan Karger wrote:
[CUT] > > Note the '5 seconds' reconnect loop, which is the same as what current > released openvpn would do in response to an alert. So if we change our > servers to send alerts, they will experience quite a bit more load from > clients attempting to reconnect. We can make newer clients use some > exponential back-off, but older clients will be around for quite a while. > If we really go this way, we could even have the client "understand" the alert and stop retrying if the error is permanent (i.e. certificate revoked). However, are we sure we're not going to introduce surface for a DoS attacks by opening this hole for unauthorized clients? Basically anybody with a revoked certificate is now able to trigger some kind of logic on the server side (this is how I understand it). Consider that obtaining a revoked certificate is not that difficult (i.e. VPN providers granting free periods normally do that by issuing and revoking a new cert). Cheers, -- Antonio Quartulli
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
