Skip to main content

Tutorial: Change the TLS Session Renegotiation Interval

Abstract

How to change the timeframe for renegotiating a TLS session and encryption key for an OpenVPN session.

Overview

This tutorial shows you how to change the connection security refresh interval for TLS sessions using either the Admin Web UI or the command-line interface (CLI).

For security purposes, Access Server renegotiates the TLS session and encryption key used for an OpenVPN session at regular intervals. The server or client can trigger the renegotiation.

This renegotiation doesn't impact your Access Server end users because a valid session token is used as an authentication proxy/token.

As of Access Server 2.9.3, the renegotiation default value is 60 minutes (1 hour). Previous versions used 360 minutes (6 hours). When you upgrade Access Server from an older version, the renegotiation value stays the same.

Tip

Session expiration is tested during TLS renegotiation, which occurs automatically at the specified interval or when the connection is disrupted and reconnects. So, if you change the session token expiration, ensure you also change the TLS renegotiation interval, or the session may not expire at the moment you expect.

Prerequisites

  • An installed Access Server.

  • Admin Web UI access or console access with root privileges.

Option 1: Change the TLS session renegotiation interval in the Admin Web UI

  1. Sign in to the Admin Web UI.

  2. Click Configuration > Advanced VPN.

  3. Enter the new value under Connection Security Refresh.

    • You've changed the security refresh interval.

Important

The OpenVPN protocol has a parameter that determines after how many bytes a key should be renegotiated (no configuration key in Access Server). If you use BF-CBC, to prevent any possible gathering of enough data to exploit the BF-CBC encryption cipher flaw for these installations, the key renegotiation byte threshold is set at around 60 megabytes on up-to-date OpenVPN client programs. This forces a key refresh more often which mitigates the vulnerability in the Blowfish (BF-CBC) cipher.

Option 2: Change the TLS session renegotiation interval from the CLI

  1. Connect to the console and get root privileges.

  2. Switch to the scripts directory:

    cd /usr/local/openvpn_as/scripts/

  3. Change the mid-session TLS renegotiation period (default 60 minutes):

    ./sacli --key "vpn.tls_refresh.interval" --value <MINUTES> ConfigPut
./sacli start

    • You've changed the security refresh interval.

    • Restore this value to default:

      ./sacli --key "vpn.tls_refresh.interval" --value "60" ConfigPut
./sacli start

Important

The OpenVPN protocol has a parameter that determines after how many bytes a key should be renegotiated (no configuration key in Access Server). If you use BF-CBC, to prevent any possible gathering of enough data to exploit the BF-CBC encryption cipher flaw for these installations, the key renegotiation byte threshold is set at around 60 megabytes on up-to-date OpenVPN client programs. This forces a key refresh more often which mitigates the vulnerability in the Blowfish (BF-CBC) cipher.

In this section: