Hi, On Tue, Dec 22, 2020 at 11:20:08AM -0800, Guy Knights wrote: > The error messages are logged every 5 - 10 minutes for each connected user > like so:
These are not "error" messages. Those would start with "error" :-)
> Mon Dec 14 06:27:59 2020 user.name/user.ip TLS: Username/Password
> authentication succeeded for username 'user.name' [CN
> SET]
This is the cyclic cipher renegotiation (which includes a full reauth).
> Mon Dec 14 06:27:59 2020 user.name/user.ip Data Channel Encrypt: Cipher
> 'BF-CBC' initialized with 128 bit key
> Mon Dec 14 06:27:59 2020 user.name/user.ip WARNING: this cipher's block
> size is less than 128 bit (64 bit). Consider using a --cipher with a
> larger block size.
It is happening quite often because your setup is using a cipher that
is not considered very secure by today's standards - which this message
is telling you. So the renegotiation timers (option "reneg-sec") are
set to fairly short values.
I'd strongly recommend to upgrade the server to 2.4.x or 2.5.x, and
get automatic cipher upgrades to AES-GCM as soon as a 2.4/2.5 client
connects. Faster, more secure.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany [email protected]
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users
