> > Ok, after clarifying in chat, I understood that the time needed by a > peer to elect a key as "usable" is defined by auth_deferred_expire_window(). > > If reneg-sec is smaller than hand-window (which is 60s by default) then > we can have this particular situation. > > Now, we are assuming that hand-window is always the same on both peers > (client and server), but actually this value may also be customized and > mess everything up. > > Changing hand-window on one peer only is not a good idea in any case. > > At this point I'd ask, why not re-moving/ignoring --hand-window entirely > and live with the 60s default?
That is one of the many question why so many protocol things in OpenVPN are finetunable in the first place. We can certainly add warnings when setting these saying that this option should be only used for debugging. And do the same for reneg-sec when set < 120 (or more accurately 2*hand-window) Arne _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
