From 81149fd01897166cee5649d2da3801f2a5a45b5c Mon Sep 17 00:00:00 2001 From: Dan Williams Date: Wed, 8 Apr 2015 09:37:56 -0500 Subject: [PATCH] core: use a default renegotiation interval of zero (rh #969433) Since the client and server do not negotiate options, each side gets to specify its own --reneg-sec to control when each side renegotiates. OpenVPN defaults to 3600, so if the client and server don't agree this causes too-frequent renegotiations. This is worse with two-factor authentication, becuase it can mean that the client requests a password/PIN from the user much more often then the server actually wants. https://bugzilla.redhat.com/show_bug.cgi?id=969433 --- src/nm-openvpn-service.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/nm-openvpn-service.c b/src/nm-openvpn-service.c index 8282573..93ced6c 100644 --- a/src/nm-openvpn-service.c +++ b/src/nm-openvpn-service.c @@ -1115,6 +1115,14 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin, free_openvpn_args (args); return FALSE; } + } else { + /* Either the server and client must agree on the renegotiation + * interval, or it should be disabled on one side to prevent + * too-frequent renegotiations, which make two-factor auth quite + * painful. + */ + add_openvpn_arg (args, "--reneg-sec"); + add_openvpn_arg (args, "0"); } if (debug) { -- 2.1.0