From f4f92cc589b5fc473b83c9e9e109a414fa6102ca Mon Sep 17 00:00:00 2001
From: Arne Schwabe <arne@rfc2549.org>
Date: Thu, 15 Dec 2022 20:01:43 +0100
Subject: [PATCH] Deprecate NTLMv1 proxy auth method.

NTLMv1 is ancient and not considered secure anymore and we are not
aware of any users or software still requiring this feature.

Additionally it currently depends on our "doing single DES using
3DES" workaround for OpenSSL (cipher_des_encrypt_ecb). So removing
NTLMv1 will also allow us to remove that workaround.

Reported-By: Trial of Bits (TOB-OVPN-7)
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221215190143.2107896-9-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25731.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e005b8d1fda1ad1e26fe0dbe7e09184a1f19b553)
---
 src/openvpn/proxy.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c
index ed7201616..633caee09 100644
--- a/src/openvpn/proxy.c
+++ b/src/openvpn/proxy.c
@@ -519,6 +519,8 @@ http_proxy_new(const struct http_proxy_options *o)
 #if NTLM
         else if (!strcmp(o->auth_method_string, "ntlm"))
         {
+            msg(M_INFO, "NTLM v1 authentication is deprecated and will be removed in "
+                "OpenVPN 2.7");
             p->auth_method = HTTP_AUTH_NTLM;
         }
         else if (!strcmp(o->auth_method_string, "ntlm2"))
-- 
2.47.2