From: Steffan Karger Date: Sat, 1 Jul 2017 11:22:08 +0000 (+0200) Subject: Deprecate --no-replay X-Git-Tag: v2.4.4~25 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e3da00918d2dd99c116f6da1a14a2a73b72829f4;p=thirdparty%2Fopenvpn.git Deprecate --no-replay Following the removal of --no-iv, and as suggested by both recent audits (and done by OpenVPN-NL for 7 years now), it's time to get rid of the --no-replay option. The only valid use case I can imagine is to slightly reduce the per-packet overhead for setups that do not use any authentication mechanism, but I do not believe that warrants keeping an option around that generally reduces security and makes our code more complex. Signed-off-by: Steffan Karger Acked-by: David Sommerseth Message-Id: <20170701112208.18803-1-steffan@karger.me> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15003.html Signed-off-by: David Sommerseth --- diff --git a/Changes.rst b/Changes.rst index 3d758f2ea..7d1912b5a 100644 --- a/Changes.rst +++ b/Changes.rst @@ -310,6 +310,14 @@ Maintainer-visible changes +Version 2.4.4 +============= + +Deprecated features +------------------- +- ``--no-replay`` is deprecated and will be removed in OpenVPN 2.5. + + Version 2.4.3 ============= diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 8170164b0..c98d94bf1 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -4261,6 +4261,9 @@ supported by OpenSSL. .\"********************************************************* .TP .B \-\-no\-replay +.B DEPRECATED +This option will be removed in OpenVPN 2.5. + (Advanced) Disable OpenVPN's protection against replay attacks. Don't use this option unless you are prepared to make a tradeoff of greater efficiency in exchange for less diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 2b096eb03..ee53adfe8 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -545,7 +545,7 @@ static const char usage_message[] = #ifndef ENABLE_CRYPTO_MBEDTLS "--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n" #endif - "--no-replay : Disable replay protection.\n" + "--no-replay : (DEPRECATED) Disable replay protection.\n" "--mute-replay-warnings : Silence the output of replay warnings to log file.\n" "--replay-window n [t] : Use a replay protection sliding window of size n\n" " and a time window of t seconds.\n" @@ -2500,6 +2500,11 @@ options_postprocess_verify_ce(const struct options *options, const struct connec msg(M_WARN, "WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6"); } + if (!options->replay) + { + msg(M_WARN, "WARNING: --no-replay is DEPRECATED and will be removed in OpenVPN 2.5"); + } + /* * Check consistency of replay options */