[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] TLS: tls_process, killed expiring key - What does this mean?


  • Subject: Re: [Openvpn-users] TLS: tls_process, killed expiring key - What does this mean?
  • From: Josh Cepek <josh.cepek@xxxxxxx>
  • Date: Tue, 10 Jul 2007 14:27:20 -0500
  • Openpgp: id=2E5A5127
  • Z-usanet-msgid: XID816LgJTbC0008X36

Jacob Graham wrote:
I am currently running OpenVPN with a distributed program. After running for a certain amount of time, it will print the message

"TLS: tls_process, killed expiring key"

After this message is sent, it causes erroneous behavior. I am having difficulty finding out exactly what this message means. The certificate keys that I am using expire in the year 2017, so it can't possibly be that OpenVPN thinks that they have expired. I did some research with Google and found some information regarding "lame duck" keys (expiring keys). It would appear that OpenVPN creates session keys that it will 'renegotiate' after some specified amount of time. If that is the case, and if these keys expire, does this cause OpenVPN to restart?

OpenVPN uses asymmetric Public Key Encryption (the private key and certificates) to establish a session, and then negotiates a static key between hosts for tunnel encryption.  This static key is used because symmetric encryption is much faster.  By default, OpenVPN will renegotiate the static key every 60 minutes, although you can change the frequency by using the 3 --reneg-* options.  When a renegotiation occurs you will see the message you described above in your logs.

However, the renegotiation doesn't cause OpenVPN to restart; data can still be sent during the negotiation process, and the old key is still valid for a default of 60 minutes and can be changed with the --tran-window option.

If you're changing the effective user or group of OpenVPN, it might be that the unprivileged account can't read the private key or certificate.  If this is the case you should see an error in your logs indicating that the key can't be opened for reading.
-- 
Josh

Attachment: signature.asc
Description: OpenPGP digital signature