Hi, On 01-01-18 13:56, Antonio Quartulli wrote: > On 01/01/18 20:30, Steffan Karger wrote: > > [CUT] > >> >> Note the '5 seconds' reconnect loop, which is the same as what current >> released openvpn would do in response to an alert. So if we change our >> servers to send alerts, they will experience quite a bit more load from >> clients attempting to reconnect. We can make newer clients use some >> exponential back-off, but older clients will be around for quite a while. >> > > If we really go this way, we could even have the client "understand" the > alert and stop retrying if the error is permanent (i.e. certificate > revoked).
Yeah, it might make sense to treat specific alerts differently. > However, are we sure we're not going to introduce surface for a DoS > attacks by opening this hole for unauthorized clients? > Basically anybody with a revoked certificate is now able to trigger some > kind of logic on the server side (this is how I understand it). > > Consider that obtaining a revoked certificate is not that difficult > (i.e. VPN providers granting free periods normally do that by issuing > and revoking a new cert). Yes, this increases DoS attack surface too. Not sure if there is a viable way that's more efficient than simply opening many new connections and trying to exhaust our connection limits though. In any case, it will be "no worse than plain TLS", for whatever that's worth ;-) To be perfectly clear: I'm not advocating this change. But user experience / error reporting is a regularly recurring topic, so I found it useful to take some time to spell out what allowing TLS alerts would look like. -Steffan ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
