k83mIbgZ 0 Posted ... Hi, A question regarding TLS key renegotiation. Using openvpn on linux. I think I am supposed to see in the openvpn log something like: Renewing TLSTLS: tls_process killed expiring keyTLS:soft reset sec=0 btyes=xxxx pkts=xxxx However, I have not seen all three together in my openvpn log. I rarely see two ("killed expiring key" and "soft reset"). Most of the time I see a "soft reset" or *nothing* indicating a TLS rekey.. This happens irregardless of server (US). examples:Tue Jun 28 23:16:27 2016 us=166743 Initialization Sequence CompletedWed Jun 29 00:16:19 2016 us=557377 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.orgWed Jun 29 00:16:19 2016 us=557939 Validating certificate key usage Fri Jun 24 19:30:55 2016 us=581623 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384 4096 bit RSAFri Jun 24 20:30:55 2016 us=364411 TLS: soft reset sec=0 bytes=807401/0 pkts=2222/0Fri Jun 24 20:30:55 2016 us=548921 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.orgFri Jun 24 20:30:55 2016 us=549857 Validating certificate key usage TLS rekeying (?) is at 00:16:19 in first example. Second example 20:30:55. Thanks for any input. Quote Share this post Link to post
OpenSourcerer 1445 Posted ... If OpenVPN posts this info, a new key is active: Wed Jun 29 15:51:23 2016 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit keyWed Jun 29 15:51:23 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authenticationWed Jun 29 15:51:23 2016 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit keyWed Jun 29 15:51:23 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authenticationWed Jun 29 15:51:23 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA Quote Hide OpenSourcerer's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
k83mIbgZ 0 Posted ... thank you for replying giganerd. I can verify that I see this during the TLS renegotiation: Wed Jun 29 00:16:19 2016 us=951324 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit keyWed Jun 29 00:16:19 2016 us=951355 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authenticationWed Jun 29 00:16:19 2016 us=951362 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit keyWed Jun 29 00:16:19 2016 us=951368 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authenticationWed Jun 29 00:16:19 2016 us=951413 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA I was curious if I was receiving a *new* TLS key rather than a check on the current key. Thanks for confirming that is more than likely a new key. :-) Quote Share this post Link to post
Not connected, Your IP: 18.116.10.48
Online: 28418 users - 346315 Mbit/s total BW