On 08/06/2014 02:38 PM, David Sommerseth wrote: > On 06/08/14 15:20, Gert Doering wrote: > >>> What is CPU intensive is when asymmetric encryption comes into >>> play, with the key exchanges and other negotiations etc. > >> slow, but used much more seldom... assuming VPN clients that stay >> connected for a reasonable amount of time, and transfer "enough" >> data. > > True ... until you restart a busy server. Then you'll get a busy > peak, and unless --reneg-* options is disabled, you'll have these > peaks fairly regularly.
I haven't look at the code but I wonder if there is a random margin time added or substracted to reneg-sec to avoid all clients renegotiating at the exact same time in that specific scenario? This feature is well explained here [1] (IPsec implementation), see "rekeyfuzz". > Which actually makes me ponder even more, regarding the SSL state > manager. If OpenVPN is killed with a "restart" signal, could it > encrypt the saved state and dump to file (keying material could be the > server --key, or another explicit key for this feature). When it is > started again, it will read and decrypt this file and continue without > re-init of all SSL clients .... but it may actually fail, especially > for TCP, depending on if there are any tight relations to the client > ports. I like that idea and maybe the TCP case could be addressed by TCP repair [2] on Linux. Regards, Simon 1: https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey 2: https://lwn.net/Articles/495304/ ------------------------------------------------------------------------------ Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
