)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"33df3216629107617d46e3732b4963e173556bb7","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"874520ad_48b61cb4","updated":"2026-01-19 19:13:22.000000000","message":"\u003eAlthough the DCO part\n\u003e of this mechanism is set up in userspace, none of the drivers actually\n\u003eimplements it in the kernel.\n\nWe implement this with secondary and primary key for the kernel as well. OpenVPN assume that the primary key is always used for encryption and that the secondary key can be used for decryption. \n\nCurrently dco_update_keys also installs the new negotiated key first as secondary key and then only when it becomes the primary key we call dco_swap_keys. Which we do after the transition period. So we basically have this transition period in user space. \n\nWhich part of that is not implemented in kernel space? Is secondary ignored or what? The commit is missing what part exactly is not implemented in the DCO drivers here.\n\nIf you ignore the period and switch to the new key as soon as you get it, you get packet loss as there is no way around a packet loss unless you have a transition period where both keys are active for decryption.","commit_id":"f0438792607c563f8e0e14104be86a87e2e166de"}],"src/openvpn/dco.c":[{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"63c0a582555aecf8813f623013040ebd7167fbc0","unresolved":true,"context_lines":[{"line_number":86,"context_line":"         * This line should be removed once all drivers implement the"},{"line_number":87,"context_line":"         * transition window logic."},{"line_number":88,"context_line":"         */"},{"line_number":89,"context_line":"        ks-\u003eauth_deferred_expire \u003d now;"},{"line_number":90,"context_line":"    }"},{"line_number":91,"context_line":""},{"line_number":92,"context_line":"    return ret;"}],"source_content_type":"text/x-csrc","patch_set":1,"id":"9f0beabf_e536a1e8","line":89,"updated":"2026-01-19 22:46:51.000000000","message":"This will instantly trigger the key to be installed as primary key, breaking the normal transition method for tls renegotiation.","commit_id":"f0438792607c563f8e0e14104be86a87e2e166de"}]}