Opened 6 years ago

Closed 5 years ago

Last modified 4 years ago

#865 closed Patch submission (fixed)

Improve performance with per session random component added to --reneg-sec intervals

Reported by: Simon Matter Owned by: Steffan Karger
Priority: major Milestone:
Component: Crypto Version: OpenVPN 2.4.1 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: performance TLS renegotiation regen-sec


While we were suffering from the "TLS Renegotiation Slowdown" bug here we realized that there is still room for improvement in our use case.

It appears that TLS renegotiation is getting more and more expensive in terms of CPU cycles with recent changes for more security. To make things worse, we realized that most renegotiation procedures took place at almost the same time and increased the CPU load too much during these periods. That's especially true on large, multi-instance openvpn setups.

I've created attached patch to add a per session random component to the --reneg-sec intervals so that renegotiation is evenly spread over time. It is configured by simply adding a second value to --reneg-sec as described in the --help text:

--reneg-sec n [r] : Renegotiate data chan. key after n seconds default=3600)
                  and if r is specified, add a per session random component
                  in the range of 1 ... r to n (default=0).

That patch is tested and seems to work well in my environment. As always, comments are very welcome.

Would be nice to have this patch accepted and included in OpenVPN 2.4.2.

Attachments (2)

openvpn-2.4.1-reneg_random.patch (5.5 KB) - added by Simon Matter 6 years ago.
openvpn-2.4.1-reneg-sec_random.patch (5.5 KB) - added by Simon Matter 6 years ago.

Download all attachments as: .zip

Change History (9)

Changed 6 years ago by Simon Matter

comment:1 Changed 6 years ago by Steffan Karger

Owner: set to Steffan Karger
Status: newassigned

A feature like this makes sense, but I think the patch needs a bit more work:

  • the addition should be checked for integer overflow (it might not only cause unexpected behaviour, but even undefined behaviour, because signed overflow is undefined in C)
  • the current get_random() % r approach does not produce uniform random. I don't think that is a problem (because the values for r we expect to use are << INT_MAX), but it should at least be documented in the commit message.

Could you send this patch (or a v2, after processing my comments) to openvpn-devel@… using git send-email? That is where we discuss patches for inclusion. (See

Changed 6 years ago by Simon Matter

comment:2 Changed 6 years ago by Simon Matter

The new patch is openvpn-2.4.1-reneg-sec_random.patch​ is added and also sent to the list.

comment:3 Changed 6 years ago by tct


comment:4 Changed 5 years ago by sumpfralle

Thank you for preparing this patch!

It would probably be very helpful for #1021.

comment:5 Changed 5 years ago by Steffan Karger

Resolution: fixed
Status: assignedclosed

The patch has been applied to the master branch.

commit dd99646347bc5461fa83b0e62114550504bb128f
Author: Simon Matter
Date: Thu Nov 16 15:09:58 2017 +0100

This will be part of OpenVPN 2.5.

comment:6 Changed 5 years ago by Playgame123

Removed spam comment

Last edited 5 years ago by Samuli Seppänen (previous) (diff)

comment:7 Changed 4 years ago by Addu12

Removed spam comment.

Last edited 4 years ago by Eric Crist (previous) (diff)
Note: See TracTickets for help on using tickets.