For an up-to-date list of all deprecated options, see this wiki page:
https://community.openvpn.net/openvpn/wiki/DeprecatedOptions
-- ``--key-method 1`` is deprecated in 2.4 and will be removed in 2.5. Migrate
- away from ``--key-method 1`` as soon as possible. The recommended approach
- is to remove the ``--key-method`` option from the configuration files, OpenVPN
- will then use ``--key-method 2`` by default. Note that this requires changing
- the option in both the client and server side configs.
+- ``--key-method 1`` is deprecated in OpenVPN 2.4 and will be removed in v2.5.
+ Migrate away from ``--key-method 1`` as soon as possible. The recommended
+ approach is to remove the ``--key-method`` option from the configuration
+ files, OpenVPN will then use ``--key-method 2`` by default. Note that this
+ requires changing the option in both the client and server side configs.
-- ``--tls-remote`` is removed in 2.4, as indicated in the 2.3 man-pages. Similar
- functionality is provided via ``--verify-x509-name``, which does the same job in
- a better way.
+- ``--tls-remote`` is removed in OpenVPN 2.4, as indicated in the v2.3
+ man-pages. Similar functionality is provided via ``--verify-x509-name``,
+ which does the same job in a better way.
-- ``--compat-names`` and ``--no-name-remapping`` were deprecated in 2.3 and will
- be removed in 2.5. All scripts and plug-ins depending on the old non-standard
- X.509 subject formatting must be updated to the standardized formatting. See
- the man page for more information.
+- ``--compat-names`` and ``--no-name-remapping`` were deprecated in OpenVPN 2.3
+ and will be removed in v2.5. All scripts and plug-ins depending on the old
+ non-standard X.509 subject formatting must be updated to the standardized
+ formatting. See the man page for more information.
-- ``--no-iv`` is deprecated in 2.4 and will be removed in 2.5.
+- ``--no-iv`` is deprecated in OpenVPN 2.4 and will be removed in v2.5.
-- ``--keysize`` is deprecated and will be removed in v2.6 together
- with the support of ciphers with cipher block size less than 128 bits.
+- ``--keysize`` is deprecated in OpenVPN 2.4 and will be removed in v2.6
+ together with the support of ciphers with cipher block size less than
+ 128-bits.
- ``--comp-lzo`` is deprecated in OpenVPN 2.4. Use ``--compress`` instead.
files instead of older ones, to provide a unified behaviour across systemd
based Linux distributions.
-- With OpenVPN v2.4, the project has moved over to depend on and actively use
+- With OpenVPN 2.4, the project has moved over to depend on and actively use
the official C99 standard (-std=c99). This may fail on some older compiler/libc
header combinations. In most of these situations it is recommended to
use -std=gnu99 in CFLAGS. This is known to be needed when doing
Security
--------
- CVE-2017-7522: Fix ``--x509-track`` post-authentication remote DoS
- A client could crash a 2.4+ mbedtls server, if that server uses the
+ A client could crash a v2.4+ mbedtls server, if that server uses the
``--x509-track`` option and the client has a correct, signed and unrevoked
certificate that contains an embedded NUL in the certificate subject.
Discovered and reported to the OpenVPN security team by Guido Vranken.
Bugfixes
--------
- Fix fingerprint calculation in mbed TLS builds. This means that mbed TLS users
- of OpenVPN 2.4.0, 2.4.1 and 2.4.2 that rely on the values of the
+ of OpenVPN 2.4.0, v2.4.1 and v2.4.2 that rely on the values of the
``tls_digest_*`` env vars, or that use ``--verify-hash`` will have to change
the fingerprint values they check against. The security impact of the
incorrect calculation is very minimal; the last few bytes (max 4, typically
Bugfixes
--------
-- Fix memory leak introduced in 2.4.1: if --remote-cert-tls is used, we leaked
- some memory on each TLS (re)negotiation.
+- Fix memory leak introduced in OpenVPN 2.4.1: if ``--remote-cert-tls`` is
+ used, we leaked some memory on each TLS (re)negotiation.
+
Security
--------
-- Fix a pre-authentication denial-of-service attack on both clients and servers.
- By sending a too-large control packet, OpenVPN 2.4.0 or 2.4.1 can be forced
- to hit an ASSERT() and stop the process. If ``--tls-auth`` or ``--tls-crypt``
- is used, only attackers that have the ``--tls-auth`` or ``--tls-crypt`` key
- can mount an attack. (OSTIF/Quarkslab audit finding 5.1, CVE-2017-7478)
+- Fix a pre-authentication denial-of-service attack on both clients and
+ servers. By sending a too-large control packet, OpenVPN 2.4.0 or v2.4.1 can
+ be forced to hit an ASSERT() and stop the process. If ``--tls-auth`` or
+ ``--tls-crypt`` is used, only attackers that have the ``--tls-auth`` or
+ ``--tls-crypt`` key can mount an attack.
+ (OSTIF/Quarkslab audit finding 5.1, CVE-2017-7478)
- Fix an authenticated remote DoS vulnerability that could be triggered by
causing a packet id roll over. An attack is rather inefficient; a peer
.B execve
or
.B system.
-As of OpenVPN v2.3, this flag is no longer accepted. In most *nix environments the execve()
+As of OpenVPN 2.3, this flag is no longer accepted. In most *nix environments the execve()
approach has been used without any issues.
Some directives such as \-\-up allow options to be passed to the external
versions you needed to either add a full path to the script interpreter which can parse the
script or use the
.B system
-flag to run these scripts. As of OpenVPN v2.3 it is now a strict requirement to have
+flag to run these scripts. As of OpenVPN 2.3 it is now a strict requirement to have
full path to the script interpreter when running non-executables files.
This is not needed for executable files, such as .exe, .com, .bat or .cmd files. For
example, if you have a Visual Basic script, you must use this syntax now:
namely that using a password-protected private key will fail unless the
.B \-\-askpass
option is used to tell OpenVPN to ask for the pass phrase (this
-requirement is new in 2.3.7, and is a consequence of calling daemon()
+requirement is new in v2.3.7, and is a consequence of calling daemon()
before initializing the crypto layer).
Further, using
parameter may be "lzo", "lz4", or empty. LZO and LZ4
are different compression algorithms, with LZ4 generally
offering the best performance with least CPU usage.
-For backwards compatibility with OpenVPN versions before 2.4, use "lzo"
+For backwards compatibility with OpenVPN versions before v2.4, use "lzo"
(which is identical to the older option "\-\-comp\-lzo yes").
If the
purely implemented for compatibility reasons when using older plug-ins or
scripts which does not handle the new formatting or UTF-8 characters.
.IP
-In OpenVPN v2.3 the formatting of these fields changed into a more
+In OpenVPN 2.3 the formatting of these fields changed into a more
standardised format. It now looks like:
.IP
.B
C=US, L=Somewhere, CN=John Doe, emailAddress=john@example.com
.IP
-The new default format in OpenVPN v2.3 also does not do the character remapping
+The new default format in OpenVPN 2.3 also does not do the character remapping
which happened earlier. This new format enables proper support for UTF\-8
characters in the usernames, X.509 Subject fields and Common Name variables and
it complies to the RFC 2253, UTF\-8 String Representation of Distinguished
.B Please note:
This option is immediately deprecated. It is only implemented
to make the transition to the new formatting less intrusive. It will be
-removed in OpenVPN v2.5. So please update your scripts/plug-ins where necessary.
+removed in OpenVPN 2.5. So please update your scripts/plug-ins where necessary.
.\"*********************************************************
.TP
.B \-\-no\-name\-remapping
option.
.B Please note:
-This option is now deprecated. It will be removed in OpenVPN v2.5.
+This option is now deprecated. It will be removed in OpenVPN 2.5.
So please make sure you support the new X.509 name formatting
described with the
.B \-\-compat\-names
.B \-\-cipher
setting, but the peer cipher is one of the ciphers specified in
.B \-\-ncp\-ciphers\fR.
-E.g. a non-NCP client (<=2.3, or with \-\-ncp\-disabled set) connecting to a
-NCP server (2.4+) with "\-\-cipher BF-CBC" and "\-\-ncp-ciphers
+E.g. a non-NCP client (<=v2.3, or with \-\-ncp\-disabled set) connecting to a
+NCP server (v2.4+) with "\-\-cipher BF-CBC" and "\-\-ncp-ciphers
AES-256-GCM:AES-256-CBC" set can either specify "\-\-cipher BF-CBC" or
"\-\-cipher AES-256-CBC" and both will work.
(required) is a file in OpenVPN static key format which can be generated by
.B \-\-genkey
-Older versions (up to 2.3) supported a freeform passphrase file.
-This is no longer supported in newer versions (2.4+).
+Older versions (up to OpenVPN 2.3) supported a freeform passphrase file.
+This is no longer supported in newer versions (v2.4+).
See the
.B \-\-secret
.B file.
.\"*********************************************************
.SS TUN/TAP persistent tunnel config mode:
-Available with linux 2.4.7+. These options comprise a standalone mode
+Available with Linux 2.4.7+. These options comprise a standalone mode
of OpenVPN which can be used to create and delete persistent tunnels.
.\"*********************************************************
.TP
.TP
.B \-\-dhcp\-release
Ask Windows to release the TAP adapter lease on shutdown.
-This option has no effect now, as it is enabled by default starting with version 2.4.1.
+This option has no effect now, as it is enabled by default starting with OpenVPN 2.4.1.
.\"*********************************************************
.TP
.B \-\-register\-dns
.B \-\-client\-config\-dir filename as derived from common name or username:
Alphanumeric, underbar ('_'), dash ('-'), and dot ('.') except for "." or
-".." as standalone strings. As of 2.0.1-rc6, the at ('@') character has
+".." as standalone strings. As of v2.0.1-rc6, the at ('@') character has
been added as well for compatibility with the common name character class.
.B Environmental variable names:
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
-# Note that 2.4 client/server will automatically
+# Note that v2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
cipher AES-256-CBC
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
-# Note that 2.4 client/server will automatically
+# Note that v2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
cipher AES-256-CBC
# Enable compression on the VPN link and push the
-# option to the client (2.4+ only, for earlier
+# option to the client (v2.4+ only, for earlier
# versions see below)
;compress lz4-v2
;push "compress lz4-v2"
else if (streq(p[0], "max-routes") && !p[2])
{
msg(M_WARN, "DEPRECATED OPTION: --max-routes option ignored."
- "The number of routes is unlimited as of version 2.4. "
+ "The number of routes is unlimited as of OpenVPN 2.4. "
"This option will be removed in a future version, "
"please remove it from your configuration.");
}
VERIFY_PERMISSION(OPT_P_GENERAL);
if (streq(p[1], "env"))
{
- msg(M_INFO, "NOTE: --win-sys env is default from OpenVPN v2.3. "
+ msg(M_INFO, "NOTE: --win-sys env is default from OpenVPN 2.3. "
"This entry will now be ignored. "
"Please remove this entry from your configuration file.");
}
msg(msglevel, "you cannot use --compat-names with --verify-x509-name");
goto err;
}
- msg(M_WARN, "DEPRECATED OPTION: --compat-names, please update your configuration. This will be removed in OpenVPN v2.5.");
+ msg(M_WARN, "DEPRECATED OPTION: --compat-names, please update your configuration. This will be removed in OpenVPN 2.5.");
compat_flag(COMPAT_FLAG_SET | COMPAT_NAMES);
#if P2MP_SERVER
if (p[1] && streq(p[1], "no-remapping"))
msg(msglevel, "you cannot use --no-name-remapping with --verify-x509-name");
goto err;
}
- msg(M_WARN, "DEPRECATED OPTION: --no-name-remapping, please update your configuration. This will be removed in OpenVPN v2.5.");
+ msg(M_WARN, "DEPRECATED OPTION: --no-name-remapping, please update your configuration. This will be removed in OpenVPN 2.5.");
compat_flag(COMPAT_FLAG_SET | COMPAT_NAMES);
compat_flag(COMPAT_FLAG_SET | COMPAT_NO_NAME_REMAPPING);
#endif
projects / thirdparty / openvpn.git / commitdiff
