Am 14.06.21 um 16:21 schrieb Antonio Quartulli: > Hi, > > On 14/06/2021 15:58, Arne Schwabe wrote: >>> At this point I'd ask, why not re-moving/ignoring --hand-window entirely >>> and live with the 60s default? >> >> >> That is one of the many question why so many protocol things in OpenVPN >> are finetunable in the first place. We can certainly add warnings when >> setting these saying that this option should be only used for debugging. >> And do the same for reneg-sec when set < 120 (or more accurately >> 2*hand-window) > > When a knob is there, no matter if for debugging or not, people will > just use it. > It may break things, which may create rumors, which may create support > overhead. > > IMHO going with well declared constant values (i.e. in a nicely > commented header file), which can be easily tweaked by a developer > before recompiling the OpenVPN, are more than enough for debugging > (check [1] for an example). > > This way you clearly make the bar for shooting yourself in the foot high > enough so that only skilled snipers can do that. >
Put on the agenda for community meeting to decide if we want to deprecate hand-window compeletely and reneg-sec under < 120? Arne _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
