From: Arne Schwabe Date: Thu, 9 Jul 2020 10:15:56 +0000 (+0200) Subject: Deprecate ncp-disable and add improved ncp to Changes.rst X-Git-Tag: v2.5_beta1~86 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2b09c1405fdfffe15b2b444b15cce7820263a048;p=thirdparty%2Fopenvpn.git Deprecate ncp-disable and add improved ncp to Changes.rst Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20200709101603.11941-1-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20257.html Signed-off-by: Gert Doering --- diff --git a/Changes.rst b/Changes.rst index 00dd6ed89..42f0d190b 100644 --- a/Changes.rst +++ b/Changes.rst @@ -13,6 +13,24 @@ ChaCha20-Poly1305 cipher support Added support for using the ChaCha20-Poly1305 cipher in the OpenVPN data channel. +Improved Data channel cipher negotiation + OpenVPN clients will now signal all supported ciphers from the + ``ncp-ciphers`` option to the server via ``IV_CIPHERS``. OpenVPN + servers will select the first common cipher from the ``ncp-ciphers`` + list instead of blindly pushing the first cipher of the list. This + allows to use a configuration like + ``ncp-ciphers ChaCha20-Poly1305:AES-256-GCM`` on the server that + prefers ChaCha20-Poly1305 but uses it only if the client supports it. + +Deprecated features +------------------- +For an up-to-date list of all deprecated options, see this wiki page: +https://community.openvpn.net/openvpn/wiki/DeprecatedOptions + +- ``ncp-disable`` has been deprecated + With the improved and matured data channel cipher negotiation, the use + of ``ncp-disable`` should not be necessary anymore. + Overview of changes in 2.4 ========================== diff --git a/src/openvpn/options.c b/src/openvpn/options.c index a72b677a9..b93fd4fec 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -545,7 +545,7 @@ static const char usage_message[] = " (default=%s).\n" " Set alg=none to disable encryption.\n" "--ncp-ciphers list : List of ciphers that are allowed to be negotiated.\n" - "--ncp-disable : Disable cipher negotiation.\n" + "--ncp-disable : (DEPRECATED) Disable cipher negotiation.\n" "--prng alg [nsl] : For PRNG, use digest algorithm alg, and\n" " nonce_secret_len=nsl. Set alg=none to disable PRNG.\n" #ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH @@ -7904,6 +7904,9 @@ add_option(struct options *options, { VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE); options->ncp_enabled = false; + msg(M_WARN, "DEPRECATED OPTION: ncp-disable. Disabling dynamic " + "cipher negotiation is a deprecated debug feature that " + "will be removed in OpenVPN 2.6"); } else if (streq(p[0], "prng") && p[1] && !p[3]) {