Deprecate key-method 1

Key method 2 has been the default since OpenVPN 2.0, and is both more
functional and secure.  Also, key method 1 was only ever supported for
peer-to-peer connections (i.e. not for client-server).

Let's get rid of some legacy and phase out key method 1.

v2: add Changes.rst entry, and update man page

[ DS: Slightly modified patch, rewored the warning message and the
      Changes.rst note to encourage not to set --key-method at all ]

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1479153967-6788-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13054.html
Signed-off-by: David Sommerseth <davids@openvpn.net>

diff --git a/Changes.rst b/Changes.rst
index c0f14a18a3c3bfcd162e4c5078048a91987d7b98..2b99a1d0df725d5a77bb9b7271ce95542f13e817 100644 (file)
--- a/Changes.rst
+++ b/Changes.rst
@@ -112,6 +112,15 @@ AIX platform support
     devices since AIX does not provide tun interface.
 
 
+Deprecated features
+-------------------
+- ``--key-method 1`` is deprecated in 2.4 and will be removed in 2.5.  Migrate
+  away from ``--key-method 1`` as soon as possible.  The recommended approach
+  is to remove the ``--key-method`` option from the configuration files, OpenVPN
+  will then use ``--key-method 2`` by default.  Note that this requires changing
+  the option in both the client and server side configs.
+
+
 User-visible Changes
 --------------------
 - For certificate DNs with duplicate fields, e.g. "OU=one,OU=two", both fields

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 863dcf94009a7dd7c11f2fcccb244b87e96f7ddb..7227d224606f140436facbf2ecf201e1e9612483 100644 (file)
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -4782,7 +4782,10 @@ exchanged over the TLS session.
 
 In method 1 (the default for OpenVPN 1.x), both sides generate
 random encrypt and HMAC-send keys which are forwarded to
-the other host over the TLS channel.
+the other host over the TLS channel. Method 1 is
+.B deprecated in OpenVPN 2.4
+, and
+.B will be removed in OpenVPN 2.5\fR.
 
 In method 2, (the default for OpenVPN 2.0)
 the client generates a random key.  Both client

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 32826f509ecebafad836d7277b9d9c0340bab41a..4d31e4c0b7affa9c739153e5e273ec995c3c37c8 100644 (file)
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -2245,6 +2245,13 @@ options_postprocess_verify_ce (const struct options *options, const struct conne
          "may accept clients which do not present a certificate");
     }
 
+  if (options->key_method == 1)
+    {
+      msg (M_WARN, "WARNING: --key-method 1 is deprecated and will be removed "
+         "in OpenVPN 2.5.  By default --key-method 2 will be used if not set "
+         "in the configuration file, which is the recommended approach.");
+    }
+
   if (options->tls_server || options->tls_client)
     {
 #ifdef ENABLE_PKCS11