#865 closed Patch submission (fixed)
Improve performance with per session random component added to --reneg-sec intervals
Reported by: | Simon Matter | Owned by: | Steffan Karger |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | Crypto | Version: | OpenVPN 2.4.1 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | performance TLS renegotiation regen-sec |
Cc: |
Description
While we were suffering from the "TLS Renegotiation Slowdown" bug here https://community.openvpn.net/openvpn/ticket/854 we realized that there is still room for improvement in our use case.
It appears that TLS renegotiation is getting more and more expensive in terms of CPU cycles with recent changes for more security. To make things worse, we realized that most renegotiation procedures took place at almost the same time and increased the CPU load too much during these periods. That's especially true on large, multi-instance openvpn setups.
I've created attached patch to add a per session random component to the --reneg-sec intervals so that renegotiation is evenly spread over time. It is configured by simply adding a second value to --reneg-sec as described in the --help text:
--reneg-sec n [r] : Renegotiate data chan. key after n seconds default=3600) and if r is specified, add a per session random component in the range of 1 ... r to n (default=0).
That patch is tested and seems to work well in my environment. As always, comments are very welcome.
Would be nice to have this patch accepted and included in OpenVPN 2.4.2.
Attachments (2)
Change History (9)
Changed 7 years ago by
Attachment: | openvpn-2.4.1-reneg_random.patch added |
---|
comment:1 Changed 7 years ago by
Owner: | set to Steffan Karger |
---|---|
Status: | new → assigned |
Changed 7 years ago by
Attachment: | openvpn-2.4.1-reneg-sec_random.patch added |
---|
comment:2 Changed 7 years ago by
The new patch is openvpn-2.4.1-reneg-sec_random.patch is added and also sent to the list.
comment:4 Changed 6 years ago by
Thank you for preparing this patch!
It would probably be very helpful for #1021.
comment:5 Changed 6 years ago by
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
The patch has been applied to the master branch.
commit dd99646347bc5461fa83b0e62114550504bb128f
Author: Simon Matter
Date: Thu Nov 16 15:09:58 2017 +0100
This will be part of OpenVPN 2.5.
A feature like this makes sense, but I think the patch needs a bit more work:
Could you send this patch (or a v2, after processing my comments) to openvpn-devel@… using git send-email? That is where we discuss patches for inclusion. (See http://community.openvpn.net/openvpn/wiki/DeveloperDocumentation).