Re: [Openvpn-devel] Client reconnect issues

Fri, 26 Apr 2019 06:58:57 -0700 

Hi Pieter,

On 26/04/19 15:32, Pieter Hulshoff wrote:

Gert,
Op vr 19 apr. 2019 om 13:38 schreef Pieter Hulshoff <pieter.hulsh...@technolution.nl <mailto:pieter.hulsh...@technolution.nl>>: 

    I've been looking at
    https://community.openvpn.net/openvpn/ticket/880 for a while now,
    and was wondering if there'd been any answers to this problem yet.
    It appears that mbedtls (according to krzee the problem
    disappeared when using OpenSSL, but since I use OpenVPN-NL that's
    not an option for me) refuses to answer a PUSH request for a
    connection it considers to already exist. As a result, a reconnect
    (e.g. after a client reboot) will stall until the reconnect timer
    exceeds the server's time-out, after which the server closes the
    connection, and accepts the following reconnect attempt. Reconnect
    from a 2.3.9 client is stalled indefinitely, since the re-connect
    seems fixed at 2 seconds.

    Using nobind will also solve the issue, since the server will see
    it as a new connection, but I'm not sure nobind is a proper
    solution for everyone.

    Any thoughts on this matter? Is it true that this only happens
    with mbedtls, and as such should this issue be taken up with that
    community in stead of this one? Any idea on why the server would
    refuse a PUSH request for an already existing connection?
You were looking into this matter in 2017. Did you ever figure out what the cause of this issue was, and if so how it could be remedied?
I'd look into the way session tickets are configured and used in mbedtls, e.g. read up on 
https://tls.mbed.org/discussions/generic/what-is-the-correct-way-to-use-session-tickets
For OpenSSL, OpenVPN uses SSL_OP_NO_TICKET, i.e. no session tickets are allowed. I don't know the mbedtls code base well enough, but as a start, I'd make sure that mbedtls is also configured to NOT accept session tickets. 

An easy way to test my hypothesis would be to
- allow session tickets in the OpenSSL version (i.e. modify one line in ssl_opensls.c) 
- build OpenVPN using OpenSSL
- use this patched OpenVPN binary to connect to your (mbedtls) server to see if the problem now also occurs with an openssl-linked version of OpenVPN If so, then you know it's a session ticket issue. If not, then you can (most likely) rule out session tickets as the root cause of the problem. 

HTH,

JJK


_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel






















					Reply via email to