-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/08/14 00:37, Jason Haar wrote: > On 07/08/14 00:12, David Sommerseth wrote: >> What is CPU intensive is when asymmetric encryption comes into >> play, with the key exchanges and other negotiations etc. > > I sooo have to agree with that. Back in the day I could notice even > with only TWO clients how openvpn would completely HANG during key > renegotiation! ie I'd be SSH-ed into some work server via openvpn, > happily typing away, the second client would connect and WHAM! > total freeze for 5+ seconds. > > Which is why I changed our reneg-sec from 3600 to 36000 (ie ten > hours). If we had 100 simultaneous clients, I'd even think of > increasing that yet again. The theoretical risk of someone actually > brute forcing a key in that time window is still nearly infinitely > less than the actual impact of key renegotiation on openvpn
If --reneg-sec is an issue, I'd probably recommend turning it off completely (set it to 0) and use enable --reneg-bytes and/or - --reneg-pkts instead. It is hopefully less likely that many clients transfer the same amount of data over the tunnel in approximately the same time window. - -- kind regards, David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlPjSLEACgkQDC186MBRfro/hACeNzZidRw5hQinz5w6zXsjTZzW 8hAAoIsIh+zwb3eXD9KhxB/XkTTpLigY =Zzc6 -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
