openvpn: TLS: tls_process: killed expiring key
时间:12-10-24 栏目:技术 作者:liva 评论:0 点击: 6,122 次
In SSL/TLS mode, an SSL session is established with bidirectional authentication (i.e. each side of the connection must present its own certificate). If the SSL/TLS authentication succeeds, encryption/decryption and HMAC key source material is then randomly generated by OpenSSL's RAND_bytes function and exchanged over the SSL/TLS connection. Both sides of the connection contribute random source material. This mode never uses any key bidirectionally, so each peer has a distinct send HMAC, receive HMAC, packet encrypt, and packet decrypt key. If --key-method 2 is used, the actual keys are generated from the random source material using the TLS PRF function. If --key-method 1 is used, the keys are generated directly from the OpenSSL RAND_bytes function. --key-method 2 was introduced with OpenVPN 1.5.0 and will be made the default in OpenVPN 2.0.
During SSL/TLS rekeying, there is a transition-window parameter that permits overlap between old and new key usage, so there is no time pressure or latency bottleneck during SSL/TLS renegotiations.
OpenVPN uses asymmetric Public Key Encryption (the private key and certificates) to establish a session, and then negotiates a static key between hosts for tunnel encryption. This static key is used because symmetric encryption is much faster. By default, OpenVPN will renegotiate the static key every 60 minutes, although you can change the frequency by using the 3 –reneg-* options. When a renegotiation occurs you will see the message you described above in your logs.
However, the renegotiation doesn’t cause OpenVPN to restart; data can still be sent during the negotiation process, and the old key is still valid for a default of 60 minutes and can be changed with the –tran-window option.