From: Steffan Karger Date: Sat, 1 Jul 2017 11:29:51 +0000 (+0200) Subject: Deprecate --keysize X-Git-Tag: v2.5_beta1~612 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ad178f01444d61e48fca83c4f0bc5d82270cee87;p=thirdparty%2Fopenvpn.git Deprecate --keysize The --keysize option can only be used with already deprecated ciphers, such as CAST5, RC2 or BF. Deviating from the default keysize is generally not a good idea (see man page text), and otherwise only complicates our code. Since we will also remove the support for weak ciphers (ciphers with cipher block length less than 128 bits) in OpenVPN 2.6 as well, we start the deprecation of this option instantly. [DS: Slightly amended the patch, referencing OpenVPN 2.6 and added a few more details to Changes.rst and the commit message] Signed-off-by: Steffan Karger Acked-by: David Sommerseth Message-Id: <20170701112951.19119-1-steffan@karger.me> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15004.html Signed-off-by: David Sommerseth --- diff --git a/Changes.rst b/Changes.rst index 0b2b04ddb..4358f78b9 100644 --- a/Changes.rst +++ b/Changes.rst @@ -178,6 +178,9 @@ Deprecated features - ``--no-iv`` is deprecated in 2.4 and will be removed in 2.5. +- ``--keysize`` is deprecated and will be removed in v2.6 together + with the support of ciphers with cipher block size less than 128 bits. + User-visible Changes -------------------- diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 20bdd91b3..056ae1456 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -4217,6 +4217,9 @@ negotiation. .\"********************************************************* .TP .B \-\-keysize n +.B DEPRECATED +This option will be removed in OpenVPN 2.6. + Size of cipher key in bits (optional). If unspecified, defaults to cipher-specific default. The .B \-\-show\-ciphers diff --git a/src/openvpn/options.c b/src/openvpn/options.c index c4bd8cbaf..ef7009c1e 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2484,6 +2484,11 @@ options_postprocess_verify_ce(const struct options *options, const struct connec msg(M_USAGE, "NCP cipher list contains unsupported ciphers."); } + if (options->keysize) + { + msg(M_WARN, "WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6"); + } + /* * Check consistency of replay options */