[PULL request] distinguish between different rekey methods
Kevin Cernekee
cernekee at gmail.com
Sat Feb 15 23:41:49 EST 2014
On Fri, Feb 14, 2014 at 11:51 PM, Nikos Mavrogiannopoulos
<nmav at gnutls.org> wrote:
> I noticed that this pattern is on several other logs posted before. So
> it seems that anyconnect handle the rekey of the TLS channel and simply
> reconnect the DTLS channel at the same moment (I see that there isn't
> even a configuration option to change the rekey time of DTLS).
When comparing your new rekey code to what is in the existing
start_cstp_connection(), it occurred to me that we may be operating
under different assumptions:
In your experimentation with Cisco AnyConnect clients, do you see them
sending a brand new DTLS master secret during rekey (ala commit
9d2b41dc8) or merely re-handshaking / re-establishing the DTLS session
in order to generate new session keys?
To address your other point, I have found that many of the X-CSTP-*
and X-DTLS-* options have identical values and cannot be configured
independently on the ASA. On my box, compression is the only option
that allows separate settings under "anyconnect dtls <opt>".
More information about the openconnect-devel
mailing list