is considered "too complicated", using ``--peer-fingerprint`` makes
TLS mode about as easy as using ``--secret``.
+``ncp-disable`` has been removed
+ This option mainly served a role as debug option when NCP was first
+ introduced. It should now no longer be necessary.
+
Overview of changes in 2.5
==========================
The default is :code:`BF-CBC`, an abbreviation for Blowfish in Cipher
Block Chaining mode. When cipher negotiation (NCP) is allowed,
OpenVPN 2.4 and newer on both client and server side will automatically
- upgrade to :code:`AES-256-GCM`. See ``--data-ciphers`` and
- ``--ncp-disable`` for more details on NCP.
+ upgrade to :code:`AES-256-GCM`. See ``--data-ciphers`` for more details
+ on NCP.
Using :code:`BF-CBC` is no longer recommended, because of its 64-bit
block size. This small block size allows attacks based on collisions, as
have been configured with `--enable-small`
(typically used on routers or other embedded devices).
---ncp-disable
- **DEPRECATED** Disable "Negotiable Crypto Parameters". This completely
- disables cipher negotiation.
-
--secret args
**DEPRECATED** Enable Static Key encryption mode (non-TLS). Use pre-shared secret
``file`` which was generated with ``--genkey``.
| OPT_P_EXPLICIT_NOTIFY
| OPT_P_ECHO
| OPT_P_PULL_MODE
- | OPT_P_PEER_ID;
+ | OPT_P_PEER_ID
+ | OPT_P_NCP;
if (!c->options.route_nopull)
{
flags |= (OPT_P_ROUTE | OPT_P_IPWIN32);
}
- if (c->options.ncp_enabled)
- {
- flags |= OPT_P_NCP;
- }
-
return flags;
}
*
* Therefore, the key structure has to be initialized when:
* - any non-BF-CBC cipher was selected; or
- * - BF-CBC is selected and NCP is disabled (explicit request to
- * use the BF-CBC cipher); or
* - BF-CBC is selected, NCP is enabled and fallback is enabled
* (BF-CBC will be the fallback).
* - BF-CBC is in data-ciphers and we negotiate to use BF-CBC:
* Note that BF-CBC will still be part of the OCC string to retain
* backwards compatibility with older clients.
*/
- if (!streq(options->ciphername, "BF-CBC") || !options->ncp_enabled
- || (options->ncp_enabled && tls_item_in_cipher_list("BF-CBC", options->ncp_ciphers))
+ if (!streq(options->ciphername, "BF-CBC")
+ || tls_item_in_cipher_list("BF-CBC", options->ncp_ciphers)
|| options->enable_ncp_fallback)
{
/* Do not warn if the if the cipher is used only in OCC */
- bool warn = !options->ncp_enabled || options->enable_ncp_fallback;
+ bool warn = options->enable_ncp_fallback;
init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
true, warn);
}
to.tcp_mode = link_socket_proto_connection_oriented(options->ce.proto);
to.config_ciphername = c->options.ciphername;
to.config_ncp_ciphers = c->options.ncp_ciphers;
- to.ncp_enabled = options->ncp_enabled;
to.transition_window = options->transition_window;
to.handshake_window = options->handshake_window;
to.packet_timeout = options->tls_timeout;
#endif
/* Select cipher if client supports Negotiable Crypto Parameters */
- if (!o->ncp_enabled)
- {
- return true;
- }
/* if we have already created our key, we cannot *change* our own
* cipher -> so log the fact and push the "what we have now" cipher
" (default=%s).\n"
" Set alg=none to disable encryption.\n"
"--data-ciphers list : List of ciphers that are allowed to be negotiated.\n"
- "--ncp-disable : (DEPRECATED) Disable cipher negotiation.\n"
"--prng alg [nsl] : For PRNG, use digest algorithm alg, and\n"
" nonce_secret_len=nsl. Set alg=none to disable PRNG.\n"
#ifndef ENABLE_CRYPTO_MBEDTLS
o->stale_routes_check_interval = 0;
o->ifconfig_pool_persist_refresh_freq = 600;
o->scheduled_exit_interval = 5;
- o->ncp_enabled = true;
o->ncp_ciphers = "AES-256-GCM:AES-128-GCM";
o->authname = "SHA1";
o->prng_hash = "SHA1";
SHOW_STR_INLINE(shared_secret_file);
SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true), "%s");
SHOW_STR(ciphername);
- SHOW_BOOL(ncp_enabled);
SHOW_STR(ncp_ciphers);
SHOW_STR(authname);
SHOW_STR(prng_hash);
if (!o->pull && !(o->mode == MODE_SERVER))
{
/* we are in the classic P2P mode */
- o->ncp_enabled = false;
msg( M_WARN, "Cipher negotiation is disabled since neither "
"P2MP client nor server mode is enabled");
/* pull or P2MP mode */
if (!o->ciphername)
{
- if (!o->ncp_enabled)
- {
- msg(M_USAGE, "--ncp-disable needs an explicit --cipher or "
- "--data-ciphers-fallback config option");
- }
-
- msg(M_WARN, "--cipher is not set. Previous OpenVPN version defaulted to "
- "BF-CBC as fallback when cipher negotiation failed in this case. "
- "If you need this fallback please add '--data-ciphers-fallback "
- "BF-CBC' to your configuration and/or add BF-CBC to "
- "--data-ciphers.");
-
/* We still need to set the ciphername to BF-CBC since various other
* parts of OpenVPN assert that the ciphername is set */
o->ciphername = "BF-CBC";
options_postprocess_cipher(o);
options_postprocess_mutate_invariant(o);
- if (o->ncp_enabled)
+ o->ncp_ciphers = mutate_ncp_cipher_list(o->ncp_ciphers, &o->gc);
+ if (o->ncp_ciphers == NULL)
{
- o->ncp_ciphers = mutate_ncp_cipher_list(o->ncp_ciphers, &o->gc);
- if (o->ncp_ciphers == NULL)
- {
- msg(M_USAGE, "NCP cipher list contains unsupported ciphers or is too long.");
- }
+ msg(M_USAGE, "NCP cipher list contains unsupported ciphers or is too long.");
}
if (o->remote_list && !o->connection_list)
}
/* Only announce the cipher to our peer if we are willing to
* support it */
- if (p2p_nopull || !o->ncp_enabled
- || tls_item_in_cipher_list(ciphername, o->ncp_ciphers))
+ if (p2p_nopull || tls_item_in_cipher_list(ciphername, o->ncp_ciphers))
{
buf_printf(&out, ",cipher %s", ciphername);
}
msg(msglevel, "Unknown key-derivation method %s", p[1]);
}
}
- else if (streq(p[0], "ncp-disable") && !p[1])
- {
- VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE);
- options->ncp_enabled = false;
- msg(M_WARN, "DEPRECATED OPTION: ncp-disable. Disabling "
- "cipher negotiation is a deprecated debug feature that "
- "will be removed in OpenVPN 2.6");
- }
else if (streq(p[0], "prng") && p[1] && !p[3])
{
VERIFY_PERMISSION(OPT_P_GENERAL);
const char *ciphername;
bool enable_ncp_fallback; /**< If defined fall back to
* ciphername if NCP fails */
- bool ncp_enabled;
const char *ncp_ciphers;
const char *authname;
const char *prng_hash;
}
/* support for Negotiable Crypto Parameters */
- if (session->opt->ncp_enabled
- && (session->opt->mode == MODE_SERVER || session->opt->pull))
+ if (session->opt->mode == MODE_SERVER || session->opt->pull)
{
if (tls_item_in_cipher_list("AES-128-GCM", session->opt->config_ncp_ciphers)
&& tls_item_in_cipher_list("AES-256-GCM", session->opt->config_ncp_ciphers))
const char *config_ciphername;
const char *config_ncp_ciphers;
- bool ncp_enabled;
bool tls_crypt_v2;
const char *tls_crypt_v2_verify_script;
return true;
}
- if (!c->options.ncp_enabled)
- {
- return true;
- }
/* If the server did not push a --cipher, we will switch to the
* remote cipher if it is in our ncp-ciphers list */
if(tls_poor_mans_ncp(&c->options, c->c2.tls_multi->remote_ciphername))
projects / thirdparty / openvpn.git / commitdiff
