> Hi, > > Initially I've created this RFE but have been told to send it to > the devel list instead: > > https://community.openvpn.net/openvpn/ticket/865 > > Unfortunately I'm not a developer and have never used git so please bear > with me as I send a classic patch to the list. > > As suggested by user "syzzer" I also tried to improve the patch and here > it is: > > -------%<--------------------------------------------------------------- > While we were suffering from the "TLS Renegotiation Slowdown" bug here > https://community.openvpn.net/openvpn/ticket/854 we realized that there is > still room for improvement in our use case. > > It appears that TLS renegotiation is getting more and more expensive in > terms of CPU cycles with recent changes for more security. To make things > worse, we realized that most renegotiation procedures took place at almost > the same time and increased the CPU load too much during these periods. > That's especially true on large, multi-instance openvpn setups. > > I've created attached patch to add a per session pseudo-random component > to > the --reneg-sec intervals so that renegotiation is evenly spread over > time. > It is configured by simply adding a second value to --reneg-sec as > described > in the --help text: > > --reneg-sec n [r] : Renegotiate data chan. key after n seconds > default=3600) > and if r is specified, add a per session pseudo-random > component in the range of 1 ... r to n (default=0). > > Note that the patch also slightly changes the log output to show the sec > value > in the same way as the bytes/pkts values: > > TLS: soft reset sec=3084/3084 bytes=279897/-1 pkts=1370/0 > -------%<--------------------------------------------------------------- > > > The patch is tested and seems to work well in my environment. As always, > comments are very welcome. > > Would be nice to have this patch accepted and included in OpenVPN 2.4.2.
Any comments on this patch? Would be nice to get some feedback :) Simon ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
