|
|
Jacob Graham wrote:
I am currently running OpenVPN with
a distributed program. After running for a certain amount of time, it
will print the message
"TLS: tls_process, killed expiring key"
After this message is sent, it causes erroneous behavior. I am having
difficulty finding out exactly what this message means. The certificate
keys that I am using expire in the year 2017, so it can't possibly be
that OpenVPN thinks that they have expired. I did some research with
Google and found some information regarding "lame duck" keys (expiring
keys). It would appear that OpenVPN creates session keys that it will
'renegotiate' after some specified amount of time. If that is the case,
and if these keys expire, does this cause OpenVPN to restart?
OpenVPN uses asymmetric Public Key Encryption (the private key and
certificates) to establish a session, and then negotiates a static key
between hosts for tunnel encryption. This static key is used because
symmetric encryption is much faster. By default, OpenVPN will
renegotiate the static key every 60 minutes, although you can change
the frequency by using the 3 --reneg-* options. When a renegotiation
occurs you will see the message you described above in your logs.
However, the renegotiation doesn't cause OpenVPN to restart; data can
still be sent during the negotiation process, and the old key is still
valid for a default of 60 minutes and can be changed with the
--tran-window option.
If you're changing the effective user or group of OpenVPN, it might be
that the unprivileged account can't read the private key or
certificate. If this is the case you should see an error in your logs
indicating that the key can't be opened for reading.
--
Josh
|
Attachment:
signature.asc
Description: OpenPGP digital signature
|