Menu
▾
▴
Re: [Openvpn-devel] [PATCH 16/28] Move CRL reload to key_state_init from S_START transition
|
From: Antonio Q. <a...@un...> - 2022-04-27 14:51:57
|
On 27/04/2022 16:26, Gert Doering wrote: > Hi, > > On Wed, Apr 27, 2022 at 04:04:41PM +0200, Antonio Quartulli wrote: >> On 22/04/2022 16:29, Arne Schwabe wrote: >>> The current place that we reload is a bit more efficient since it only >>> triggers reload after a completed 3way handshake. On the other hand the >>> key_state_init is a much more logical place and with the upcoming >>> HMAC based UDP code and TCP code, the initialisation will only be done >>> after a 3way handshake. >> >> There is something strange. Upon client reconnection the CRL is not >> always reloaded. It feels as if "some stuff" are already initialized >> (because we have a session for this client floating around) so we skip >> that initialization and we also skip reloading the CRL. > I take this back. I managed to fool myself (and OpenVPN) because instead of really updating the CRL file, I was rather switching between two CRLs (one with client revoked, one with client allowed) using a symlink. However, as reported in stat(2), stat() will follow the symlink and report stats about the linked file (which had a constant mtime). To properly test the CRL-reload behaviour, I therefore had to change the symlink and then touch the linked file. This made my test correct and I could check that also the OpenVPN behaviour, with this patch, is actually correct. Acked-by: Antonio Quartulli <a...@un...> Regards, -- Antonio Quartulli |
