Hi Erik, On February 13, 2018 12:00:12 PM GMT+02:00, ummeegge wrote: >Hi Michael, > >Am Dienstag, den 13.02.2018, 08:07 +0200 schrieb Horace Michael: >>  >> Please consider to add auth-nocache also in order to get rid of the >> warnings for caching credentials. > >just to bear in mind, if we set auth-nocache and a user/password >authentication has been configured manually by the user (IPFire do not >provides this currently), there is the need to authenticate again after >a session key has been expired. If an IPFire user manually changed the standard configuration of OpenVPN and add passwd authentication then he/she should assume also the impact - entering the credentials on key renewing or changing the config and removal of --auth-nocache directive. > >With OpenVPN-2.3.13 and above the rekeying are managed by '--reneg- >bytes 64000000' (after 64 MB data transfer) if 64 bit block ciphers are >used which IPFire do provides at this time. > >So by the usage of an old deprecated configuration (old ciphers) and a >faster and heavily loaded connection there is the need to authenticate >every few minutes. > >This warning looks not so nice but is in regular configurations, which >has been made via WUI, useless since there is no user/password >authentication currently available. > Indeed is just a warning - no problem for tunnel being established. But is a warning that might be wrongly understood - who knows to what "credentials" the user will think of and the overall image of the user for IPFire security will be poor... >If someone has configured it manually (in most cases via >server{client}.conf.local i think) it is there also possible to set ' >--auth-nocache' for each configuration individually if needed ? > >Just some thoughts from here. > > >Greetings, > >Erik -- Horace Michael (aka H&M) Please excuse my typos and brevity. Sent from a Smartphone.