Hi, On Tue, Nov 01, 2016 at 08:06:47PM +0100, Steffan Karger wrote: > As reported by debbie10t on the openvpn-devel list (Message-ID: > <[email protected]>), an NCP client will > attempt to reconnect with the previously pushed cipher, instead of the > cipher from the config file, after a sigusr1 restart. This can be a > problem when the server is reconfigured (as debbie10t explainted), or when > roaming to a differently-configured server. Fix this by restoring the > cipher options from the config file after a sigusr1 restart. > > This makes the cipher options behaviour different from other pushable > options, because those are also cached until a sighup restart. We might > want to change this behaviour in general, but for now let's just fix the > issue at hand. > > v2: also cache and restore keysize, as that parameter is relevant too. > v3: inherit cached cipher options from parent context. [..]
ACK.
After extensive discussion on #openvpn-devel - the code looks quite
harmless, but now I think I understand the flow of things and when and
why the SSL/TLS context is re-used on client and server, and what happens
if it is *not* re-used (client re-inits from config file, server re-inits
from global context which still has the config-file settings).
David, since you currently hold the "not fully pushed" tree (due to sf),
can you please merge?
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany [email protected]
fax: +49-89-35655025 [email protected]
signature.asc
Description: PGP signature
------------------------------------------------------------------------------
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
