"TLS soft reset" issue

[innogen]

I have just bought a subscription from one of the commercial VPN providers and I work in a country where freedom of information, freedom of speech, the right to privacy is non-existent.

I have noticed that after successfully established a secure connection, the software provided by my VPN provider does a "soft reset" approximately 60 minutes later.

Below is a typical example (truncated):

Tue May 10 19:54:23 2011 Initialization Sequence Completed
Tue May 10 19:54:44 2011 Replay-window backtrack occurred [1]
Tue May 10 19:54:50 2011 Replay-window backtrack occurred [2]
Tue May 10 20:54:15 2011 TLS: soft reset sec=0 bytes=19444148/0 pkts=41430/0
Tue May 10 20:54:16 2011 VERIFY OK: depth=1, /C=US/ST=Virginia/L=Reston/O=Full_Mesh_Networks__Inc./OU=FMN_Engineering___Operations/CN=Full_Mesh_Networks_Certificate_Authority/emailAddress=support@fullmesh.net
Tue May 10 20:54:16 2011 VERIFY OK: nsCertType=SERVER
Tue May 10 20:54:16 2011 VERIFY OK: depth=0, /C=US/ST=Virginia/O=Full_Mesh_Networks__Inc./OU=Aspen_Engineering___Operations/CN=vpn/emailAddress=support@aspen.com
Tue May 10 20:54:18 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue May 10 20:54:18 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue May 10 20:54:18 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue May 10 20:54:18 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue May 10 20:54:18 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA

In the example above, at about 19:54:23 hours, the secure connection was established. About an hour later, at about 20:54:15 hours, there was a "TLS: soft reset". Three or four seconds later, the process of data channel encyption and decryption took place.

Could the experts here help me answer the following questions:

(1) What could be the possible causes of a "TLS soft reset"? Was it due to my antivirus/firewall software?

(2) During a "TLS soft reset" was my VPN connection lost/disconnected? Was my ISP able to view/sniff out which website(s) I was surfing?

(3) What can I do to prevent a similar occurence?

My commercial VPN provider has many gateways in many locations throughout the world and I have experienced "TLS soft reset" with all of them.

Any advice that you experts provide will be most appreciated.

[janjust]

the TLS soft reset is triggered by OpenVPN itself: every 60 minutes the TLS keys are regenerated and you will see this message. During this period the VPN will still be up and secure.

You can control this behaviour using

Code: Select all

reneg-sec <N>

where the default value of <N> = 3600

[innogen]

@ janjust

Thanks for your clarification and advice.

You mentioned that I could control the "TLS soft reset" behaviour by adding a line

reneg-sec <N>

My questions:

(1) Am I right to suppose that the value of N is in seconds? If yes what is the maximum value of N that it can accept?

(2) Below is a typical example of my config file (I have edited out some of its contents for privacy reasons). Where shall I put the line reneg-sec <N> in my config file?

client

dev tun
proto tcp
remote 123.456.789.123 443
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
cipher bf-cbc
comp-lzo
verb 3
mute 20
ca ca.crt
mssfix 1450


key john_doe.key
cert john_doe.crt

show-net-up
#
# Uncomment only if instructed to do so by our Support Staff
#route-method exe
#route-delay 2

key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
(I have removed the static key for security reasons)
-----END OpenVPN Static key V1-----
</tls-auth>

Any help or advice would be much appreciated.

[janjust]

(1) Am I right to suppose that the value of N is in seconds? If yes what is the maximum value of N that it can accept?

As far as I can tell <N> is a 32bit integer (perhaps even 64bit) so the maximum value would be 2,000,000,000 (which is more than 50 years) ; you can also disable renegotiation by specifying '0' but TLS key renegotiation is a security enhancement, not a risk

(2) Below is a typical example of my config file (I have edited out some of its contents for privacy reasons). Where shall I put the line reneg-sec <N> in my config file?

pretty much anywhere in the config file - openvpn is not (too) picky about the order of the statements.

[innogen]

@janjust

I have highlighted some lines of the example below in red. Are those lines in red part of the TLS renegotiation?

Tue May 10 20:54:15 2011 TLS: soft reset sec=0 bytes=19444148/0 pkts=41430/0
Tue May 10 20:54:16 2011 VERIFY OK: depth=1, /C=US/ST=Virginia/L=Reston/O=Full_Mesh_ ... llmesh.net
Tue May 10 20:54:16 2011 VERIFY OK: nsCertType=SERVER
Tue May 10 20:54:16 2011 VERIFY OK: depth=0, /C=US/ST=Virginia/O=Full_Mesh_Networks_ ... @aspen.com
Tue May 10 20:54:18 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue May 10 20:54:18 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue May 10 20:54:18 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue May 10 20:54:18 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue May 10 20:54:18 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA

Thanks in advance for your clarification.

[janjust]

yes, that's the part where the new encryption (BF-CBC or BlowFish) and signing (SHA1 for HMAC signing) keys are negotiated.