So, I tested this as instructed, setting a ridiculously low limit (10000), and "it does rekey often". There is one interesting aspect to it
2024-12-21 23:04:19 TLS: soft reset sec=91/3600 bytes=1043562/-1 pkts=6886/0 aead_limit_send=50100/8750 aead_limit_recv=6886/8750 .. with this low limit, we can exceed the limit by quite some marging - which is due to "tls_process()" only being called every 15-16 seconds when in steady state (this is what checks should_trigger_renegotiation()), so "what happens in these 15 seconds" can go over the limit. Which is not a problem for the normal limit (~68719476736 *7/8, so roughly 8589934592 AEAD blocks in 15 seconds - we're fast, but not that fast). Besides this, the code does nothing unexpected - it passes all client/server side tests, and changes nothing in process behaviour. So ACK from me, on top of the "crypto looks good" +1 from MaxF and Steffan. Your patch has been applied to the master branch. commit fb691d2dcc63a29dafdf11ca33837c758e2b13b7 Author: Arne Schwabe Date: Sat Dec 21 16:37:30 2024 +0100 Trigger renegotiation of data key if getting close to the AEAD usage limit Signed-off-by: Arne Schwabe <a...@rfc2549.org> Acked-by: Gert Doering <g...@greenie.muc.de> Message-Id: <20241221153731.1755-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30144.html Signed-off-by: Gert Doering <g...@greenie.muc.de> -- kind regards, Gert Doering _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel