So, I tested this as instructed, setting a ridiculously low limit
(10000), and "it does rekey often". There is one interesting aspect
to it
2024-12-21 23:04:19 TLS: soft reset sec=91/3600 bytes=1043562/-1 pkts=6886/0
aead_limit_send=50100/8750 aead_limit_recv=6886/8750
.. with this low limit, we can exceed the limit by quite some marging
- which is due to "tls_process()" only being called every 15-16 seconds
when in steady state (this is what checks should_trigger_renegotiation()),
so "what happens in these 15 seconds" can go over the limit. Which is not
a problem for the normal limit (~68719476736 *7/8, so roughly 8589934592
AEAD blocks in 15 seconds - we're fast, but not that fast).
Besides this, the code does nothing unexpected - it passes all client/server
side tests, and changes nothing in process behaviour. So ACK from me,
on top of the "crypto looks good" +1 from MaxF and Steffan.
Your patch has been applied to the master branch.
commit fb691d2dcc63a29dafdf11ca33837c758e2b13b7
Author: Arne Schwabe
Date: Sat Dec 21 16:37:30 2024 +0100
Trigger renegotiation of data key if getting close to the AEAD usage limit
Signed-off-by: Arne Schwabe <a...@rfc2549.org>
Acked-by: Gert Doering <g...@greenie.muc.de>
Message-Id: <20241221153731.1755-1-g...@greenie.muc.de>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30144.html
Signed-off-by: Gert Doering <g...@greenie.muc.de>
--
kind regards,
Gert Doering
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
