Acked-by: Gert Doering
I actually have a test case for this...
- auth-gen-token 600
- reneg-sec 30
- sync plugin-auth-pam
then it will happily renegotiate every 30 seconds, and after
10 minutes it will "fail without noticing" - the server logs
2020-11-26 15:10:30 us=755319
Acked-by: Gert Doering
code wise, this is just mechanical search-and-replace, so easily
tested :-) - "understanding the code" wise this makes sense,
and even brings in extra documentation!
Your patch has been applied to the master branch.
commit 3ac8e5923a12390f68aa901e04ab3204e326d243
Author:
Acked-by: Gert Doering
This is not for the faint of heard... so I've excercised this
on the server side test framework (which has various "fail auth"
tests).
The changes in push.c and ssl.c are self-explanatory, though I
wonder why you didn't go for an "early exit if (!multi)" in
Am 26.11.20 um 10:41 schrieb Tony He:
> Hi Arne,
>
>>Since the original thread was not on the mailing list I am missing your
>>goal but if your crypto acelator already works with OpenSSL, then it
>>will also work with the "normal" OpenVPN
>
> Yes, it wokrs with "normal" OpenVPN(OpenVPN2), but
Hi,
On Thu, Nov 26, 2020 at 05:04:45PM +0800, Tony He wrote:
> Because there is HW crypto engine in some embedded devices, the crypto
> engine maybe only supports hmac-sha256-cbc-aes.
OK, I was not aware that there is such special-case hardware. Thanks
for the explanation.
Yes, in that case
Hi Arne,
>Since the original thread was not on the mailing list I am missing your
>goal but if your crypto acelator already works with OpenSSL, then it
>will also work with the "normal" OpenVPN
Yes, it wokrs with "normal" OpenVPN(OpenVPN2), but according to the test
result, it's still not
Am 26.11.20 um 01:46 schrieb Tony He:
>>OpenSSL directly talks to the crypto engine via a proprietary interface
>>that the FW/driver exposes to userspace. The *data* flow does not cross
>>the linux kernel crypto API
>
> No, OpenSSL doesn't directly talk to the crypto engine via a
> proprietary
Hi Gert,
Because there is HW crypto engine in some embedded devices, the crypto
engine maybe only supports hmac-sha256-cbc-aes.
Tony
Gert Doering 于2020年11月26日周四 下午4:56写道:
> Hi,
>
> On Thu, Nov 26, 2020 at 04:53:14PM +0800, Tony He wrote:
> > Understood. We have dicussed this in the OpenWRT
Hi,
On Thu, Nov 26, 2020 at 04:53:14PM +0800, Tony He wrote:
> Understood. We have dicussed this in the OpenWRT forum. Maybe some kind
> OpenWRT guys will implement aead hmac-sha256-cbc-aes
> for ovpn-dco module in the future.
Why? If you do AES in the first place, all numbers I have seen so
Hi Antonio,
Understood. We have dicussed this in the OpenWRT forum. Maybe some kind
OpenWRT guys will implement aead hmac-sha256-cbc-aes
for ovpn-dco module in the future.
https://forum.openwrt.org/t/ipq806x-nss-drivers/12613/2180?u=tony.he
Tony
Antonio Quartulli 于2020年11月26日周四 下午3:49写道:
>
10 matches
Mail list logo
