Am 09.04.2021 um 18:28 schrieb Gert Doering:
Hi,
there was a big discussion on the IRC channel today about interactions
between "--chroot" and "--persist-key" and how and when stuff is reloaded
or not.
Now, we all seem to agree that OpenVPN has way too many obscure options,
so I propose to get rid of another one, namely --persist-key - and I
suggest to make it permanently-active ("load the keys at startup, and
then do not touch these files again").
Unless someone explains to me in simple words what the benefit is of
reloading the keys on every new outbound connection... yes, you *could*
put in a new key/cert/CA set while OpenVPN is active, and then trigger
a SIGUSR1 restart, having it "seamlessly" move to new credentials...
But...
How many of you do that? Instead of just calling "service openvpn restart"?
I do not use --persist-key, but I still restart my services after fiddling
with configs...
I am also for removing persist-key option (and ignore it if still
present) and just always have the same behaviour. I can also not come up
with a valid scenario where setting/not setting this option is making a
real desirable difference.
Arne
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
