The current place that we reload is a bit more efficient since it only
triggers reload after a completed 3way handshake. On the other hand the
key_state_init is a much more logical place and with the upcoming
HMAC based UDP code and TCP code, the initialisation will only be done
after a 3way handshake.
---
src/openvpn/ssl.c | 23 +++++++++++------------
1 file changed, 11 insertions(+), 12 deletions(-)
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 097be8c02..d7fec0276 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -958,6 +958,17 @@ key_state_init(struct tls_session *session, struct
key_state *ks)
#ifdef ENABLE_MANAGEMENT
ks->mda_key_id = session->opt->mda_context->mda_key_id_counter++;
#endif
+
+ /*
+ * Attempt CRL reload before TLS negotiation. Won't be performed if
+ * the file was not modified since the last reload
+ */
+ if (session->opt->crl_file
+ && !(session->opt->ssl_flags & SSLF_CRL_VERIFY_DIR))
+ {
+ tls_ctx_reload_crl(&session->opt->ssl_ctx,
+ session->opt->crl_file,
session->opt->crl_file_inline);
+ }
}
@@ -2512,20 +2523,8 @@ tls_process_state(struct tls_multi *multi,
ks->state = S_START;
state_change = true;
- /*
- * Attempt CRL reload before TLS negotiation. Won't be performed if
- * the file was not modified since the last reload
- */
- if (session->opt->crl_file
- && !(session->opt->ssl_flags & SSLF_CRL_VERIFY_DIR))
- {
- tls_ctx_reload_crl(&session->opt->ssl_ctx,
- session->opt->crl_file,
session->opt->crl_file_inline);
- }
-
/* New connection, remove any old X509 env variables */
tls_x509_clear_env(session->opt->es);
-
dmsg(D_TLS_DEBUG_MED, "STATE S_START");
}
--
2.32.0 (Apple Git-132)
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
