Hi, On Tue, Nov 01, 2016 at 08:06:47PM +0100, Steffan Karger wrote: > As reported by debbie10t on the openvpn-devel list (Message-ID: > <326b8ff7-39a6-1974-c0b0-82fd2abdc...@gmail.com>), an NCP client will > attempt to reconnect with the previously pushed cipher, instead of the > cipher from the config file, after a sigusr1 restart. This can be a > problem when the server is reconfigured (as debbie10t explainted), or when > roaming to a differently-configured server. Fix this by restoring the > cipher options from the config file after a sigusr1 restart. > > This makes the cipher options behaviour different from other pushable > options, because those are also cached until a sighup restart. We might > want to change this behaviour in general, but for now let's just fix the > issue at hand. > > v2: also cache and restore keysize, as that parameter is relevant too. > v3: inherit cached cipher options from parent context. [..]
ACK. After extensive discussion on #openvpn-devel - the code looks quite harmless, but now I think I understand the flow of things and when and why the SSL/TLS context is re-used on client and server, and what happens if it is *not* re-used (client re-inits from config file, server re-inits from global context which still has the config-file settings). David, since you currently hold the "not fully pushed" tree (due to sf), can you please merge? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
signature.asc
Description: PGP signature
------------------------------------------------------------------------------
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel