From: Steffan Karger Date: Mon, 14 Nov 2016 20:06:07 +0000 (+0100) Subject: Deprecate key-method 1 X-Git-Tag: v2.4_beta1~16 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1ce0638627eb35631af9bfaa569468573568ec65;p=thirdparty%2Fopenvpn.git Deprecate key-method 1 Key method 2 has been the default since OpenVPN 2.0, and is both more functional and secure. Also, key method 1 was only ever supported for peer-to-peer connections (i.e. not for client-server). Let's get rid of some legacy and phase out key method 1. v2: add Changes.rst entry, and update man page [ DS: Slightly modified patch, rewored the warning message and the Changes.rst note to encourage not to set --key-method at all ] Signed-off-by: Steffan Karger Acked-by: David Sommerseth Message-Id: <1479153967-6788-1-git-send-email-steffan@karger.me> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13054.html Signed-off-by: David Sommerseth --- diff --git a/Changes.rst b/Changes.rst index c0f14a18a..2b99a1d0d 100644 --- a/Changes.rst +++ b/Changes.rst @@ -112,6 +112,15 @@ AIX platform support devices since AIX does not provide tun interface. +Deprecated features +------------------- +- ``--key-method 1`` is deprecated in 2.4 and will be removed in 2.5. Migrate + away from ``--key-method 1`` as soon as possible. The recommended approach + is to remove the ``--key-method`` option from the configuration files, OpenVPN + will then use ``--key-method 2`` by default. Note that this requires changing + the option in both the client and server side configs. + + User-visible Changes -------------------- - For certificate DNs with duplicate fields, e.g. "OU=one,OU=two", both fields diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 863dcf940..7227d2246 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -4782,7 +4782,10 @@ exchanged over the TLS session. In method 1 (the default for OpenVPN 1.x), both sides generate random encrypt and HMAC-send keys which are forwarded to -the other host over the TLS channel. +the other host over the TLS channel. Method 1 is +.B deprecated in OpenVPN 2.4 +, and +.B will be removed in OpenVPN 2.5\fR. In method 2, (the default for OpenVPN 2.0) the client generates a random key. Both client diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 32826f509..4d31e4c0b 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2245,6 +2245,13 @@ options_postprocess_verify_ce (const struct options *options, const struct conne "may accept clients which do not present a certificate"); } + if (options->key_method == 1) + { + msg (M_WARN, "WARNING: --key-method 1 is deprecated and will be removed " + "in OpenVPN 2.5. By default --key-method 2 will be used if not set " + "in the configuration file, which is the recommended approach."); + } + if (options->tls_server || options->tls_client) { #ifdef ENABLE_PKCS11