On Sat, Jul 22, 2006 at 09:27:43PM +0200, Alberto Gonzalez Iniesta wrote: > On Tue, Apr 04, 2006 at 08:38:18PM +0200, Jan Niehusmann wrote: > > Openvpn fails to bring up the tunnel if the system time goes backwards > > during negotiation. As this is a very unusual situation, it's probably > > not critical to fix this, therefore the minor severity. > [snip] > > > > The time shift was 2h to the past - perhaps openvpn would continue after > > waiting 2h, I was not patient enough to wait as long ;-) > > Hi Jan, > > If I recall correctly, time is an important factor in SSL. OpenVPN uses > the timestamp to prevent replay attacks. Going back two hours in time > is probably not a good idea in any SSL connection. You may want to try > disabling the replay attacks protection with --no-replay. > > This is not a bug, but clearly a feature and I'll close this bug unless > you hace something more to say about it.
It would be a feature if OpenVPN closed the existing connection because of the wrong time steps, preferrably with a good error message. This would allow the client to do a reconnect and be happy. Just hanging and doing nothing is not a good option, IMHO. So I do consider this a bug, albeit a minor one. Also I don't really think your SSL theory is correct, because OpenVPN keeps the connection open on a date change (I just tried it, to be sure, while writing this mail - set the time back two hours and then forward two hours, without any visible problem). It was just the unfortunate fact that ntpdate was called in the up scripts with a seemingly bad timing that caused OpenVPN to hang. The bad thing was that I just saw that OpenVPN did hang while trying to connect to the server, without any indication of the reason. It was mere luck that I noticed the coincidence of the system time change and the hangup. Otherwise, I may had spent a lot of time looking for the root of the connection problems. However, if you prefer to close this bug report because you don't plan to work on it and think that it clobbers the bug list, feel free to just close it and keep working on more important issues :-) Jan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
