I have a tunnel between two RPis. I recently upgraded the server to use OpenVPN 2.4.4 instead of 2.3.something. I did not change the configuration (except added ncp-disable). The client still use the 2.3 version.
Now in the server log, this is printed exactly once every hour, and I want to get rid of it, so that more vital messages aren't missed when I check the log.
Sun Oct 29 17:13:48 2017 cn-name/x.x.x.x:37708 peer info: IV_VER=2.3.4
Sun Oct 29 17:13:48 2017 cn-name/x.x.x.x:37708 peer info: IV_PLAT=linux
Server
; General
; ---------------------------------------------------------
dev tun0
proto udp
port 1234
client-config-dir /etc/openvpn/ccd
keepalive 10 120
max-clients 20
tls-server
log-append /home/openvpnn/server/log.txt
status /home/openvpnn/server/status.txt
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
remote-cert-eku "TLS Web Server Authentication"
remote-cert-tls server
verify-x509-name serverA-v1 name
Thanks for replying! Having read the manual I don't think I will disable the renogiation. But what about increasing the interval to perhaps 8 or 24 hours? What impact will it have on security?
Renegotiation every hour is default.
By the time the used crypto is broken it would mean the adversary can decrypt 1 hour of data.
For the next hour the process of decrypting would have to be repeated because off different key.
Extending renegotiation time to 2 hours.... you get the point I think.
So I would think it depends on how important the data is, for how long it must be safe.
Your encrypted data can/could be stored now and by the time crypto is broken be decrypted.
I can off course be wrong so anyone more knowledgeable, chime in...
If all my data is stored, couldn't it all eventuelly be decrypted? If I have half the interval between the renegotians it would just mean it would take twice as long, wouldn't it?
If all my data is stored, couldn't it all eventuelly be decrypted?
Yes, that why I wrote "for how long it must be safe"
If some authority is interested in your traffic and trying to decrypt it, you have other problems, I would think
it would take twice as long, wouldn't it?
To decrypt the same amount of data, I would think yes.