[PULL request] distinguish between different rekey methods

Nikos Mavrogiannopoulos nmav at gnutls.org
Sat Feb 15 02:51:18 EST 2014


On 02/14/2014 09:21 PM, Kevin Cernekee wrote:
> On Fri, Feb 14, 2014 at 12:05 PM, Nikos Mavrogiannopoulos
> <nmav at gnutls.org> wrote:
>> And I don't think that this complexity is needed. I suppose that an
>> AnyConnect server sends "X-DTLS-Rekey: new-tunnel" or does not send this
>> header at all? In that case this commit would do the proper thing on
>> anyconnect and ocserv.
> In my testing I did not see an "X-DTLS-Rekey-Method:" header.  The
> three headers listed in my post were the only ones containing "rekey"
> (case insensitive).

I noticed that this pattern is on several other logs posted before. So
it seems that anyconnect handle the rekey of the TLS channel and simply
reconnect the DTLS channel at the same moment (I see that there isn't
even a configuration option to change the rekey time of DTLS).

So I think that we can use the X-DTLS-Rekey-Method to allow rehandshake
on the DTLS channel (we could also rename it to avoid any future
conflicts). What do you think?

I've updated the 'rekey' branch with a simpler patch (re-uses the
handshake code). The only part that is specific to ocserv is the part
that checks (and uses) X-DTLS-Rekey-Method.

regards,
Nikos




More information about the openconnect-devel mailing list