I haven't found the explanation, but noticed that problem does not exist if reneg-sec is > 60 seconds. That's more than enough, so I won't consider it as an issue for me.
On Tue, Jun 10, 2014 at 2:43 PM, Lev Stipakov <lstipa...@gmail.com> wrote: > Hello, > > I'm facing a problem with "defer" sample plugin and rekeying. > > I use plugin from > https://github.com/OpenVPN/openvpn/tree/master/sample/sample-plugins/defer. > > Relevant part of openvpn config: > >> auth-user-pass-optional >> setenv test_deferred_auth 2 >> plugin /etc/openvpn/simple.so >> reneg-sec 20 > > Everything works fine, plugin writes into auth control file in 2 secs > and client got authenticated. When rekeying happends, plugin got > called and writes again to auth control file, however after that > connection breaks. > > Part of OpenVPN log: > > OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY > DEFER u='' p='' acf='/tmp/openvpn_acf_8ec7b1fb155ede01c8bae22c6e4ad4ea.tmp' > ( sleep 2 ; echo AUTH > /tmp/openvpn_acf_8ec7b1fb155ede01c8bae22c6e4ad4ea.tmp 2 ; echo 1 >>/tmp/openvpn_acf_8ec7b1fb155ede01c8bae22c6e4ad4ea.tmp ) & > Tue Jun 10 13:25:50 2014 us=851659 > 588b4d7d-f8ec-4397-8156-43ed232c2dd8/10.64.1.101:1194 PLUGIN_CALL: > POST /etc/openvpn/simple.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2 > Tue Jun 10 13:25:50 2014 us=851680 > 588b4d7d-f8ec-4397-8156-43ed232c2dd8/10.64.1.101:1194 TLS: > Username/Password authentication deferred for username '' > OPENVPN_PLUGIN_TLS_FINAL > Tue Jun 10 13:25:50 2014 us=851695 > 588b4d7d-f8ec-4397-8156-43ed232c2dd8/10.64.1.101:1194 PLUGIN_CALL: > POST /etc/openvpn/simple.so/PLUGIN_TLS_FINAL status=0 > Tue Jun 10 13:25:50 2014 us=851842 > 588b4d7d-f8ec-4397-8156-43ed232c2dd8/10.64.1.101:1194 Data Channel > Encrypt: Cipher 'BF-CBC' initialized with 128 bit key > Tue Jun 10 13:25:50 2014 us=851850 > 588b4d7d-f8ec-4397-8156-43ed232c2dd8/10.64.1.101:1194 Data Channel > Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication > Tue Jun 10 13:25:50 2014 us=851894 > 588b4d7d-f8ec-4397-8156-43ed232c2dd8/10.64.1.101:1194 Data Channel > Decrypt: Cipher 'BF-CBC' initialized with 128 bit key > Tue Jun 10 13:25:50 2014 us=851902 > 588b4d7d-f8ec-4397-8156-43ed232c2dd8/10.64.1.101:1194 Data Channel > Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication > Tue Jun 10 13:25:50 2014 us=853273 > 588b4d7d-f8ec-4397-8156-43ed232c2dd8/10.64.1.101:1194 Control Channel: > TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA > Tue Jun 10 13:25:51 2014 us=238477 > 588b4d7d-f8ec-4397-8156-43ed232c2dd8/10.64.1.101:1194 TLS Error: > local/remote TLS keys are out of sync: [AF_INET]10.64.1.101:1194 [1] > > and after that lots of "TLS keys are out of sync". > > Rekeying works if plugin responds synchronously, so problem seems to > be related to deferred response. > > Is it kind of a bug in OpenVPN/sample plugin or am I missing something > in configuration? Anything can be done (maybe in OpenVPN code) to make > it work? > > -Lev > > ------------------------------------------------------------------------------ > HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions > Find What Matters Most in Your Big Data with HPCC Systems > Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. > Leverages Graph Analysis for Fast Processing & Easy Data Exploration > http://p.sf.net/sfu/hpccsystems > _______________________________________________ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users -- -Lev ------------------------------------------------------------------------------ HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions Find What Matters Most in Your Big Data with HPCC Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for Fast Processing & Easy Data Exploration http://p.sf.net/sfu/hpccsystems _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
