Hi, there was a big discussion on the IRC channel today about interactions between "--chroot" and "--persist-key" and how and when stuff is reloaded or not.
Now, we all seem to agree that OpenVPN has way too many obscure options, so I propose to get rid of another one, namely --persist-key - and I suggest to make it permanently-active ("load the keys at startup, and then do not touch these files again"). Unless someone explains to me in simple words what the benefit is of reloading the keys on every new outbound connection... yes, you *could* put in a new key/cert/CA set while OpenVPN is active, and then trigger a SIGUSR1 restart, having it "seamlessly" move to new credentials... But... How many of you do that? Instead of just calling "service openvpn restart"? I do not use --persist-key, but I still restart my services after fiddling with configs... gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel