Added support for using the ChaCha20-Poly1305 cipher in the OpenVPN data
channel.
+Improved Data channel cipher negotiation
+ OpenVPN clients will now signal all supported ciphers from the
+ ``ncp-ciphers`` option to the server via ``IV_CIPHERS``. OpenVPN
+ servers will select the first common cipher from the ``ncp-ciphers``
+ list instead of blindly pushing the first cipher of the list. This
+ allows to use a configuration like
+ ``ncp-ciphers ChaCha20-Poly1305:AES-256-GCM`` on the server that
+ prefers ChaCha20-Poly1305 but uses it only if the client supports it.
+
+Deprecated features
+-------------------
+For an up-to-date list of all deprecated options, see this wiki page:
+https://community.openvpn.net/openvpn/wiki/DeprecatedOptions
+
+- ``ncp-disable`` has been deprecated
+ With the improved and matured data channel cipher negotiation, the use
+ of ``ncp-disable`` should not be necessary anymore.
+
Overview of changes in 2.4
==========================
" (default=%s).\n"
" Set alg=none to disable encryption.\n"
"--ncp-ciphers list : List of ciphers that are allowed to be negotiated.\n"
- "--ncp-disable : Disable cipher negotiation.\n"
+ "--ncp-disable : (DEPRECATED) Disable cipher negotiation.\n"
"--prng alg [nsl] : For PRNG, use digest algorithm alg, and\n"
" nonce_secret_len=nsl. Set alg=none to disable PRNG.\n"
#ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH
{
VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE);
options->ncp_enabled = false;
+ msg(M_WARN, "DEPRECATED OPTION: ncp-disable. Disabling dynamic "
+ "cipher negotiation is a deprecated debug feature that "
+ "will be removed in OpenVPN 2.6");
}
else if (streq(p[0], "prng") && p[1] && !p[3])
{
projects / thirdparty / openvpn.git / commitdiff
