2018-01-01 17:56 GMT+05:00 Antonio Quartulli <a...@unstable.cc>:
> Hi,
>
> On 01/01/18 20:30, Steffan Karger wrote:
>
> [CUT]
>
> >
> > Note the '5 seconds' reconnect loop, which is the same as what current
> > released openvpn would do in response to an alert. So if we change our
> > servers to send alerts, they will experience quite a bit more load from
> > clients attempting to reconnect. We can make newer clients use some
> > exponential back-off, but older clients will be around for quite a while.
> >
>
> If we really go this way, we could even have the client "understand" the
> alert and stop retrying if the error is permanent (i.e. certificate
> revoked).
>
>
> However, are we sure we're not going to introduce surface for a DoS
> attacks by opening this hole for unauthorized clients?
>
what kind of DoS attacks are you talking about ?
> Basically anybody with a revoked certificate is now able to trigger some
> kind of logic on the server side (this is how I understand it).
>
> Consider that obtaining a revoked certificate is not that difficult
> (i.e. VPN providers granting free periods normally do that by issuing
> and revoking a new cert).
>
>
>
> Cheers,
>
>
> --
> Antonio Quartulli
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
