Am 09.04.2021 um 18:28 schrieb Gert Doering:
Hi, there was a big discussion on the IRC channel today about interactions between "--chroot" and "--persist-key" and how and when stuff is reloaded or not. Now, we all seem to agree that OpenVPN has way too many obscure options, so I propose to get rid of another one, namely --persist-key - and I suggest to make it permanently-active ("load the keys at startup, and then do not touch these files again"). Unless someone explains to me in simple words what the benefit is of reloading the keys on every new outbound connection... yes, you *could* put in a new key/cert/CA set while OpenVPN is active, and then trigger a SIGUSR1 restart, having it "seamlessly" move to new credentials... But... How many of you do that? Instead of just calling "service openvpn restart"? I do not use --persist-key, but I still restart my services after fiddling with configs...
I am also for removing persist-key option (and ignore it if still present) and just always have the same behaviour. I can also not come up with a valid scenario where setting/not setting this option is making a real desirable difference.
Arne _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel