On 07/08/14 00:12, David Sommerseth wrote: > What is CPU intensive is when asymmetric encryption comes into play, > with the key exchanges and other negotiations etc.
I sooo have to agree with that. Back in the day I could notice even with only TWO clients how openvpn would completely HANG during key renegotiation! ie I'd be SSH-ed into some work server via openvpn, happily typing away, the second client would connect and WHAM! total freeze for 5+ seconds. Which is why I changed our reneg-sec from 3600 to 36000 (ie ten hours). If we had 100 simultaneous clients, I'd even think of increasing that yet again. The theoretical risk of someone actually brute forcing a key in that time window is still nearly infinitely less than the actual impact of key renegotiation on openvpn -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
