We have quite a list of deprecated options currently. Ensure this is highlighted both in documentation and code.
This patch builds on the wiki page [1] enlisting all deprecated features and their status. There are also some options not listed here, as there exists patches in release/2.4 which awaits an update for git master. Signed-off-by: David Sommerseth <dav...@openvpn.net> --- Changes.rst | 15 ++++++++++ doc/openvpn.8 | 78 ++++++++++++++++++++++++++++++++++----------------- src/openvpn/options.c | 16 ++++++----- 3 files changed, 77 insertions(+), 32 deletions(-) diff --git a/Changes.rst b/Changes.rst index 4358f78b..74d038a0 100644 --- a/Changes.rst +++ b/Changes.rst @@ -161,6 +161,9 @@ Asynchronous push reply Deprecated features ------------------- +For an up-to-date list of all deprecated options, see this wiki page: +https://community.openvpn.net/openvpn/wiki/DeprecatedOptions + - ``--key-method 1`` is deprecated in 2.4 and will be removed in 2.5. Migrate away from ``--key-method 1`` as soon as possible. The recommended approach is to remove the ``--key-method`` option from the configuration files, OpenVPN @@ -181,6 +184,18 @@ Deprecated features - ``--keysize`` is deprecated and will be removed in v2.6 together with the support of ciphers with cipher block size less than 128 bits. +- ``--comp-lzo`` is deprecated in OpenVPN 2.4. Use ``--compress`` instead. + +- ``--ifconfig-pool-linear`` has been deprecated since OpenVPN 2.1 and will be + removed in v2.5. Use ``--topology p2p`` instead. + +- ``--client-cert-not-required`` is deprecated in OpenVPN 2.4 and will be removed + in v2.5. Use ``--verify-client-cert none`` for a functional equivalent. + +- ``--ns-cert-type`` is deprecated in OpenVPN 2.3.18 and v2.4. It will be removed + in v2.5. Use the far better ``--remote-cert-tls`` option which replaces this + feature. + User-visible Changes -------------------- diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 056ae145..5da29300 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -769,7 +769,8 @@ Only use when none of the connecting clients are Windows systems. This mode is functionally equivalent to the .B \-\-ifconfig\-pool\-linear -directive which is available in OpenVPN 2.0 and is now deprecated. +directive which is available in OpenVPN 2.0, is deprecated and will be +removed in OpenVPN 2.5 .B subnet \-\- Use a subnet rather than a point-to-point topology by @@ -2485,15 +2486,17 @@ setting to be pushed later. .\"********************************************************* .TP .B \-\-comp\-lzo [mode] +.B DEPRECATED +This option will be removed in a future OpenVPN release. Use the +newer +.B \-\-compress +instead. + Use LZO compression -- may add up to 1 byte per packet for incompressible data. .B mode may be "yes", "no", or "adaptive" (default). -This option is deprecated in favor of the newer -.B --compress -option. - In a server mode setup, it is possible to selectively turn compression on or off for individual clients. @@ -3106,9 +3109,13 @@ a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, use .B \-\-ifconfig\-push + .\"********************************************************* .TP .B \-\-ifconfig\-pool\-linear +.B DEPRECATED +This option will be removed in OpenVPN 2.5 + Modifies the .B \-\-ifconfig\-pool directive to @@ -3671,15 +3678,16 @@ to empty strings (""). The authentication module/script MUST have logic to detect this condition and respond accordingly. .\"********************************************************* .TP -.B \-\-client\-cert\-not\-required (DEPRECATED) +.B \-\-client\-cert\-not\-required +.B DEPRECATED +This option will be removed in OpenVPN 2.5 + Don't require client certificate, client will authenticate using username/password only. Be aware that using this directive is less secure than requiring certificates from all clients. - .B Please note: -This option is now deprecated and will be removed in OpenVPN v2.5. -It is replaced by +This is replaced by .B \-\-verify\-client\-cert which allows for more flexibility. The option .B \-\-verify\-client\-cert none @@ -3744,7 +3752,10 @@ the authenticated username as the common name, rather than the common name from the client cert. .\"********************************************************* .TP -.B \-\-compat\-names [no\-remapping] (DEPRECATED) +.B \-\-compat\-names [no\-remapping] +.B DEPRECATED +This option will be removed in OpenVPN 2.5 + Until OpenVPN v2.3 the format of the X.509 Subject fields was formatted like this: .IP @@ -3792,7 +3803,10 @@ to make the transition to the new formatting less intrusive. It will be removed in OpenVPN v2.5. So please update your scripts/plug-ins where necessary. .\"********************************************************* .TP -.B \-\-no\-name\-remapping (DEPRECATED) +.B \-\-no\-name\-remapping +.B DEPRECATED +This option will be removed in OpenVPN 2.5 + The .B \-\-no\-name\-remapping option is an alias for @@ -4150,13 +4164,29 @@ For more information on HMAC see .B \-\-cipher alg Encrypt data channel packets with cipher algorithm .B alg. + The default is .B BF-CBC, -an abbreviation for Blowfish in Cipher Block Chaining mode. +an abbreviation for Blowfish in Cipher Block Chaining mode. When cipher +negotiation (NCP) is allowed, OpenVPN 2.4 and newer on both client and server +side will automatically upgrade to +.B AES-256-GCM. +See +.B \-\-ncp\-ciphers +and +.B \-\-ncp\-disable +for more details on NCP. -Using BF-CBC is no longer recommended, because of it's 64-bit block size. This +Using +.B BF-CBC +is no longer recommended, because of its 64-bit block size. This small block size allows attacks based on collisions, as demonstrated by SWEET32. -See https://community.openvpn.net/openvpn/wiki/SWEET32 for details. +See https://community.openvpn.net/openvpn/wiki/SWEET32 for details. Due to +this, support for +.B BF-CBC, DES, CAST5, IDEA +and +.B RC2 +ciphers will be removed in OpenVPN 2.6. To see other ciphers that are available with OpenVPN, use the .B \-\-show\-ciphers @@ -4166,14 +4196,6 @@ Set .B alg=none to disable encryption. -As of OpenVPN 2.4, cipher negotiation (NCP) can override the cipher specified by -.B \-\-cipher\fR. -See -.B \-\-ncp\-ciphers -and -.B \-\-ncp\-disable -for more on NCP. - .\"********************************************************* .TP .B \-\-ncp\-ciphers cipher_list @@ -4260,6 +4282,9 @@ supported by OpenSSL. .\"********************************************************* .TP .B \-\-no\-replay +.B DEPRECATED +This option will be removed in OpenVPN 2.5. + (Advanced) Disable OpenVPN's protection against replay attacks. Don't use this option unless you are prepared to make a tradeoff of greater efficiency in exchange for less @@ -4423,7 +4448,6 @@ This option only makes sense when replay protection is enabled .\"********************************************************* .TP .B \-\-no\-iv - .B DEPRECATED This option will be removed in OpenVPN 2.5. @@ -4823,6 +4847,9 @@ Certificate Store GUI. .\"********************************************************* .TP .B \-\-key\-method m +.B DEPRECATED +This option will be removed in OpenVPN 2.5 + Use data channel key negotiation method .B m. The key method must match on both sides of the connection. @@ -5379,8 +5406,9 @@ as X509_<depth>_<attribute>=<value>. Multiple options can be defined to track multiple attributes. .\"********************************************************* .TP -.B \-\-ns\-cert\-type client|server (DEPRECATED) -This option is deprecated. Use the more modern equivalent +.B \-\-ns\-cert\-type client|server +.B DEPRECATED +This option will be removed in OpenVPN 2.5. Use the more modern equivalent .B \-\-remote\-cert\-tls instead. This option will be removed in OpenVPN 2.5. diff --git a/src/openvpn/options.c b/src/openvpn/options.c index ef7009c1..860bc859 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -415,8 +415,9 @@ static const char usage_message[] = " client instance.\n" "--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets\n" " to be dynamically allocated to connecting clients.\n" - "--ifconfig-pool-linear : Use individual addresses rather than /30 subnets\n" - " in tun mode. Not compatible with Windows clients.\n" + "--ifconfig-pool-linear : (DEPRECATED) Use individual addresses rather \n" + " than /30 subnets\n in tun mode. Not compatible with\n" + " Windows clients.\n" "--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool\n" " data to file, at seconds intervals (default=600).\n" " If seconds=0, file will be treated as read-only.\n" @@ -434,7 +435,7 @@ static const char usage_message[] = " Only valid in a client-specific config file.\n" "--disable : Client is disabled.\n" " Only valid in a client-specific config file.\n" - "--client-cert-not-required : Don't require client certificate, client\n" + "--client-cert-not-required : (DEPRECATED) Don't require client certificate, client\n" " will authenticate using username/password.\n" "--verify-client-cert [none|optional|require] : perform no, optional or\n" " mandatory client certificate verification.\n" @@ -455,7 +456,7 @@ static const char usage_message[] = " with those of the server will be disconnected.\n" "--auth-user-pass-optional : Allow connections by clients that don't\n" " specify a username/password.\n" - "--no-name-remapping : Allow Common Name and X509 Subject to include\n" + "--no-name-remapping : (DEPRECATED) Allow Common Name and X509 Subject to include\n" " any printable character.\n" "--client-to-client : Internally route client-to-client traffic.\n" "--duplicate-cn : Allow multiple clients with the same common name to\n" @@ -539,13 +540,13 @@ static const char usage_message[] = "--prng alg [nsl] : For PRNG, use digest algorithm alg, and\n" " nonce_secret_len=nsl. Set alg=none to disable PRNG.\n" #ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH - "--keysize n : Size of cipher key in bits (optional).\n" + "--keysize n : (DEPRECATED) Size of cipher key in bits (optional).\n" " If unspecified, defaults to cipher-specific default.\n" #endif #ifndef ENABLE_CRYPTO_MBEDTLS "--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n" #endif - "--no-replay : Disable replay protection.\n" + "--no-replay : (DEPRECATED) Disable replay protection.\n" "--mute-replay-warnings : Silence the output of replay warnings to log file.\n" "--replay-window n [t] : Use a replay protection sliding window of size n\n" " and a time window of t seconds.\n" @@ -563,7 +564,7 @@ static const char usage_message[] = "(These options are meaningful only for TLS-mode)\n" "--tls-server : Enable TLS and assume server role during TLS handshake.\n" "--tls-client : Enable TLS and assume client role during TLS handshake.\n" - "--key-method m : Data channel key exchange method. m should be a method\n" + "--key-method m : (DEPRECATED) Data channel key exchange method. m should be a method\n" " number, such as 1 (default), 2, etc.\n" "--ca file : Certificate authority file in .pem format containing\n" " root certificate.\n" @@ -6570,6 +6571,7 @@ add_option(struct options *options, { VERIFY_PERMISSION(OPT_P_GENERAL); options->topology = TOP_P2P; + msg(M_WARN, "DEPRECATED OPTION: --ifconfig-pool-linear, use --topology p2p instead"); } else if (streq(p[0], "ifconfig-ipv6-pool") && p[1] && !p[2]) { -- 2.11.0 ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
