)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"f897d3a5284e7b9dffb8b81d00b64820efbc2aab","unresolved":true,"context_lines":[{"line_number":9,"context_line":"An incoming P_CONTROL_SOFT_RESET_V1 can arrive while the primary key is"},{"line_number":10,"context_line":"already in S_GENERATED_KEYS but no longer fully authorized. This can"},{"line_number":11,"context_line":"happen when deferred auth later expires/fails, or when mid-session auth"},{"line_number":12,"context_line":"checks deauthenticate the key without demoting its TLS state."},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"This patch keeps read_control_auth as the first gate, then rejects the"},{"line_number":15,"context_line":"incoming renegotiation request unless the primary key is KS_AUTH_TRUE"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"d36c7cbc_c403a599","line":12,"updated":"2026-02-16 14:32:19.000000000","message":"Should we add the scenario where we just waiting for the hand-window to have the key be fully authenticated? The patch seem to address this but the commit message does not.","commit_id":"4993426e50a4a0f2a29cc5dc901927518029a30b"},{"author":{"_account_id":1000041,"name":"ralf_lici","display_name":"Ralf Lici","email":"ralf@mandelbit.com","username":"ralf_lici"},"change_message_id":"c8820a5b3cb6984be08bd80f58f0ec24e9e210ed","unresolved":false,"context_lines":[{"line_number":9,"context_line":"An incoming P_CONTROL_SOFT_RESET_V1 can arrive while the primary key is"},{"line_number":10,"context_line":"already in S_GENERATED_KEYS but no longer fully authorized. This can"},{"line_number":11,"context_line":"happen when deferred auth later expires/fails, or when mid-session auth"},{"line_number":12,"context_line":"checks deauthenticate the key without demoting its TLS state."},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"This patch keeps read_control_auth as the first gate, then rejects the"},{"line_number":15,"context_line":"incoming renegotiation request unless the primary key is KS_AUTH_TRUE"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"02b189c3_6784af74","line":12,"in_reply_to":"d36c7cbc_c403a599","updated":"2026-02-17 08:10:55.000000000","message":"Done","commit_id":"4993426e50a4a0f2a29cc5dc901927518029a30b"}],"src/openvpn/ssl.c":[{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"f897d3a5284e7b9dffb8b81d00b64820efbc2aab","unresolved":true,"context_lines":[{"line_number":3754,"context_line":"            if (ks-\u003eauthenticated !\u003d KS_AUTH_TRUE || now \u003c ks-\u003eauth_deferred_expire)"},{"line_number":3755,"context_line":"            {"},{"line_number":3756,"context_line":"                msg(D_TLS_ERRORS,"},{"line_number":3757,"context_line":"                    \"TLS Error: rejecting incoming renegotiation request: key not fully authenticated/valid\");"},{"line_number":3758,"context_line":"                goto error;"},{"line_number":3759,"context_line":"            }"},{"line_number":3760,"context_line":""}],"source_content_type":"text/x-csrc","patch_set":2,"id":"7f990c4b_9382fc22","line":3757,"updated":"2026-02-16 14:32:19.000000000","message":"Maybe make this message a bit more verbose to help later debugging and print the key-id in ks too?","commit_id":"4993426e50a4a0f2a29cc5dc901927518029a30b"},{"author":{"_account_id":1000041,"name":"ralf_lici","display_name":"Ralf Lici","email":"ralf@mandelbit.com","username":"ralf_lici"},"change_message_id":"c8820a5b3cb6984be08bd80f58f0ec24e9e210ed","unresolved":false,"context_lines":[{"line_number":3754,"context_line":"            if (ks-\u003eauthenticated !\u003d KS_AUTH_TRUE || now \u003c ks-\u003eauth_deferred_expire)"},{"line_number":3755,"context_line":"            {"},{"line_number":3756,"context_line":"                msg(D_TLS_ERRORS,"},{"line_number":3757,"context_line":"                    \"TLS Error: rejecting incoming renegotiation request: key not fully authenticated/valid\");"},{"line_number":3758,"context_line":"                goto error;"},{"line_number":3759,"context_line":"            }"},{"line_number":3760,"context_line":""}],"source_content_type":"text/x-csrc","patch_set":2,"id":"5ea276c4_a76158a4","line":3757,"in_reply_to":"7f990c4b_9382fc22","updated":"2026-02-17 08:10:55.000000000","message":"Done","commit_id":"4993426e50a4a0f2a29cc5dc901927518029a30b"}]}