Hi, > From: Simon Matter <simon.mat...@invoca.ch> > > While we were suffering from the "TLS Renegotiation Slowdown" bug here > https://community.openvpn.net/openvpn/ticket/854 we realized that there is > still room for improvement in our use case. > > It appears that TLS renegotiation is getting more and more expensive in > terms of CPU cycles with recent changes for more security. To make things > worse, we realized that most renegotiation procedures took place at almost > the same time and increased the CPU load too much during these periods. > That's especially true on large, multi-instance openvpn setups. > > I've created attached patch to add a per session pseudo-random component > to > the --reneg-sec intervals so that renegotiation is evenly spread over > time. > It is configured by simply adding a second value to --reneg-sec as > described in the --help text: > > --reneg-sec max [min] : Renegotiate data chan. key after at most max > (default=3600) and at least min (default 90% of max on > servers and equal to max on clients). > > The jitter is only enabled by default on servers, because the actual reneg > time is min(reneg_server, reneg_client). Introducing jitter at both ends > would bias the actual reneg time to the min value. > > Note that the patch also slightly changes the log output to show the sec > value in the same way as the bytes/pkts values: > > TLS: soft reset sec=3084/3084 bytes=279897/-1 pkts=1370/0 > > The idea and first versions of this patch are from Simon Matter. Steffan > Karger later incorporated the mailing list comments into this patch. So > credits go to Simon, and all bugs are Steffan's fault ;-) > > Signed-off-by: Simon Matter <simon.mat...@invoca.ch> > Signed-off-by: Steffan Karger <stef...@karger.me> > --- > v3: incorporate comments from openvpn-devel@, don't add jitter by > default on the client side. > v4: fix printing of reneg interval, clarify/typofix comments
I've tested it and it works as expected, thanks! Regards, Simon ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel