Jump to content
Not connected, Your IP: 13.59.198.150
Sign in to follow this  
tattoo67

TLS: tls_process: killed expiring key

Recommended Posts

Hello,

I am a new subscriber to the AIRVPN Client and am still learning on how to use it correctly. So please do excuse me if the following question might sound stupid as I am no computer geek. But I did notice that every time I connect through the AIRVPN Client, exactly one hour after the connection and then repeating itself every 60 minutes, I get the following messages:

26/09/2012 - 7:47 PM TLS: tls_process: killed expiring key

26/09/2012 - 7:47 PM VERIFY OK: depth=1, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org_CA/emailAddress=info@airvpn.org

26/09/2012 - 7:47 PM VERIFY OK: nsCertType=SERVER

26/09/2012 - 7:47 PM VERIFY OK: depth=0, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=server/emailAddress=info@airvpn.org

26/09/2012 - 7:47 PM Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

26/09/2012 - 7:47 PM Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

26/09/2012 - 7:47 PM Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

26/09/2012 - 7:47 PM Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

26/09/2012 - 7:47 PM Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA

26/09/2012 - 8:47 PM TLS: tls_process: killed expiring key

26/09/2012 - 8:47 PM TLS: soft reset sec=0 bytes=972470075/0 pkts=975664/0

26/09/2012 - 8:47 PM VERIFY OK: depth=1, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org_CA/emailAddress=info@airvpn.org

26/09/2012 - 8:47 PM VERIFY OK: nsCertType=SERVER

26/09/2012 - 8:47 PM VERIFY OK: depth=0, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=server/emailAddress=info@airvpn.org

26/09/2012 - 8:47 PM Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

26/09/2012 - 8:47 PM Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

26/09/2012 - 8:47 PM Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

26/09/2012 - 8:47 PM Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

26/09/2012 - 8:47 PM Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA

Does the message: TLS: tls_process: killed expiring key followed by TLS: soft reset… does this mean that every 60 minutes I do lose briefly the VPN connection (with the risk of my real IP leaking for a very short time)? … or I do not have to worry about these repeating messages every hour?

Thanks for your help and clarification and please excuse me if my question is (maybe) stupid.

Best regards.

Share this post


Link to post

Hello!

Your question is not stupid at all, on the contrary it underlines one of the OpenVPN excellent security features.

In SSL/TLS mode, an SSL session is established with bidirectional authentication (i.e. each side of the connection must present its own certificate). If the SSL/TLS authentication succeeds, encryption/decryption and HMAC key source material is then randomly generated by OpenSSL's RAND_bytes function and exchanged over the SSL/TLS connection. Both sides of the connection contribute random source material. This mode never uses any key bidirectionally, so each peer has a distinct send HMAC, receive HMAC, packet encrypt, and packet decrypt key. If --key-method 2 is used, the actual keys are generated from the random source material using the TLS PRF function. If --key-method 1 is used, the keys are generated directly from the OpenSSL RAND_bytes function. --key-method 2 was introduced with OpenVPN 1.5.0 and will be made the default in OpenVPN 2.0.

During SSL/TLS rekeying, there is a transition-window parameter that permits overlap between old and new key usage, so there is no time pressure or latency bottleneck during SSL/TLS renegotiations.

http://openvpn.net/index.php/open-source/documentation/security-overview.html

Kind regards

Share this post


Link to post

Thanks so much for your response and feedback.

So I guess I do not need to worry about it.

I am really happy and impressed by the quality of AIRVPN and its service as well as customer services... including email responses.

I am glad I have chosen to suscribe to AIRVPN knowing that there are so many companies out there now who do offer OPENVPN. I have done a lot of research and scrutinizing but I think I am on the right path with AIRVPN.

Thanks.

Share this post


Link to post

I have the same problem. Only if tls_process: killed expiring key happens during a Skype call, I lose the call and cannot get it back!

Is there anyway prevent this from happening?

Share this post


Link to post

Hello,

 

as already quoted, "During SSL/TLS rekeying, there is a transition-window parameter that permits overlap between old and new key usage, so there is no time pressure or latency bottleneck during SSL/TLS renegotiations."

 

By the way, you can use the reneg-sec directive (default is 3600 seconds) to disable it (not recommended).

 

https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage

--reneg-sec n Renegotiate data channel key after n seconds (default=3600).

When using dual-factor authentication, note that this default value may cause the end user to be challenged to reauthorize once per hour.

Also, keep in mind that this option can be used on both the client and server, and whichever uses the lower value will be the one to trigger the renegotiation. A common mistake is to set --reneg-sec to a higher value on either the client or server, while the other side of the connection is still using the default value of 3600 seconds, meaning that the renegotiation will still occur once per 3600 seconds. The solution is to increase --reneg-sec on both the client and server, or set it to 0 on one side of the connection (to disable), and to your chosen value on the other side.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  

×
×
  • Create New...