|
|
On Sat, 4 Sep 2004, Doug Lytle wrote: > Anthony, > > I use a script to re-key every morning, copy the new keys across the > tunnel and restart. You are sort of doing manually what SSL/TLS will do automatically. For example if you ran OpenVPN in TLS mode and added --reneg-sec 86400, you would get a daily rekeying. The only problem with your approach is that if you copy the new key over the old connection, i.e. if the new key is encrypted with the old key then sent to the remote peer, you lose "Perfect Forward Secrecy". In other words, someone could conceivably derive your current key from your old key if they had recorded your prior encrypted communications. If you use SSL/TLS mode or ssh to copy the keys, then you would have perfect forward secrecy. James ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users |