We have quite a list of deprecated options currently. Ensure this
is highlighted both in documentation and code.
This patch builds on the wiki page [1] enlisting all deprecated features
and their status. There are also some options not listed here, as
there exists patches in release/2.4 which awaits an update for git master.
[1] https://community.openvpn.net/openvpn/wiki/DeprecatedOptions
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20170815215451.21662-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15261.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
... | ... |
@@ -161,6 +161,9 @@ Asynchronous push reply |
161 | 161 |
|
162 | 162 |
Deprecated features |
163 | 163 |
------------------- |
164 |
+For an up-to-date list of all deprecated options, see this wiki page: |
|
165 |
+https://community.openvpn.net/openvpn/wiki/DeprecatedOptions |
|
166 |
+ |
|
164 | 167 |
- ``--key-method 1`` is deprecated in 2.4 and will be removed in 2.5. Migrate |
165 | 168 |
away from ``--key-method 1`` as soon as possible. The recommended approach |
166 | 169 |
is to remove the ``--key-method`` option from the configuration files, OpenVPN |
... | ... |
@@ -181,6 +184,18 @@ Deprecated features |
181 | 181 |
- ``--keysize`` is deprecated and will be removed in v2.6 together |
182 | 182 |
with the support of ciphers with cipher block size less than 128 bits. |
183 | 183 |
|
184 |
+- ``--comp-lzo`` is deprecated in OpenVPN 2.4. Use ``--compress`` instead. |
|
185 |
+ |
|
186 |
+- ``--ifconfig-pool-linear`` has been deprecated since OpenVPN 2.1 and will be |
|
187 |
+ removed in v2.5. Use ``--topology p2p`` instead. |
|
188 |
+ |
|
189 |
+- ``--client-cert-not-required`` is deprecated in OpenVPN 2.4 and will be removed |
|
190 |
+ in v2.5. Use ``--verify-client-cert none`` for a functional equivalent. |
|
191 |
+ |
|
192 |
+- ``--ns-cert-type`` is deprecated in OpenVPN 2.3.18 and v2.4. It will be removed |
|
193 |
+ in v2.5. Use the far better ``--remote-cert-tls`` option which replaces this |
|
194 |
+ feature. |
|
195 |
+ |
|
184 | 196 |
|
185 | 197 |
User-visible Changes |
186 | 198 |
-------------------- |
... | ... |
@@ -769,7 +769,8 @@ Only use |
769 | 769 |
when none of the connecting clients are Windows systems. This mode |
770 | 770 |
is functionally equivalent to the |
771 | 771 |
.B \-\-ifconfig\-pool\-linear |
772 |
-directive which is available in OpenVPN 2.0 and is now deprecated. |
|
772 |
+directive which is available in OpenVPN 2.0, is deprecated and will be |
|
773 |
+removed in OpenVPN 2.5 |
|
773 | 774 |
|
774 | 775 |
.B subnet \-\- |
775 | 776 |
Use a subnet rather than a point-to-point topology by |
... | ... |
@@ -2485,15 +2486,17 @@ setting to be pushed later. |
2485 | 2485 |
.\"********************************************************* |
2486 | 2486 |
.TP |
2487 | 2487 |
.B \-\-comp\-lzo [mode] |
2488 |
+.B DEPRECATED |
|
2489 |
+This option will be removed in a future OpenVPN release. Use the |
|
2490 |
+newer |
|
2491 |
+.B \-\-compress |
|
2492 |
+instead. |
|
2493 |
+ |
|
2488 | 2494 |
Use LZO compression -- may add up to 1 byte per |
2489 | 2495 |
packet for incompressible data. |
2490 | 2496 |
.B mode |
2491 | 2497 |
may be "yes", "no", or "adaptive" (default). |
2492 | 2498 |
|
2493 |
-This option is deprecated in favor of the newer |
|
2494 |
-.B --compress |
|
2495 |
-option. |
|
2496 |
- |
|
2497 | 2499 |
In a server mode setup, it is possible to selectively turn |
2498 | 2500 |
compression on or off for individual clients. |
2499 | 2501 |
|
... | ... |
@@ -3106,9 +3109,13 @@ a common name and IP address. They do not guarantee that the given common |
3106 | 3106 |
name will always receive the given IP address. If you want guaranteed |
3107 | 3107 |
assignment, use |
3108 | 3108 |
.B \-\-ifconfig\-push |
3109 |
+ |
|
3109 | 3110 |
.\"********************************************************* |
3110 | 3111 |
.TP |
3111 | 3112 |
.B \-\-ifconfig\-pool\-linear |
3113 |
+.B DEPRECATED |
|
3114 |
+This option will be removed in OpenVPN 2.5 |
|
3115 |
+ |
|
3112 | 3116 |
Modifies the |
3113 | 3117 |
.B \-\-ifconfig\-pool |
3114 | 3118 |
directive to |
... | ... |
@@ -3671,15 +3678,16 @@ to empty strings (""). The authentication module/script MUST have logic |
3671 | 3671 |
to detect this condition and respond accordingly. |
3672 | 3672 |
.\"********************************************************* |
3673 | 3673 |
.TP |
3674 |
-.B \-\-client\-cert\-not\-required (DEPRECATED) |
|
3674 |
+.B \-\-client\-cert\-not\-required |
|
3675 |
+.B DEPRECATED |
|
3676 |
+This option will be removed in OpenVPN 2.5 |
|
3677 |
+ |
|
3675 | 3678 |
Don't require client certificate, client will authenticate |
3676 | 3679 |
using username/password only. Be aware that using this directive |
3677 | 3680 |
is less secure than requiring certificates from all clients. |
3678 | 3681 |
|
3679 |
- |
|
3680 | 3682 |
.B Please note: |
3681 |
-This option is now deprecated and will be removed in OpenVPN v2.5. |
|
3682 |
-It is replaced by |
|
3683 |
+This is replaced by |
|
3683 | 3684 |
.B \-\-verify\-client\-cert |
3684 | 3685 |
which allows for more flexibility. The option |
3685 | 3686 |
.B \-\-verify\-client\-cert none |
... | ... |
@@ -3744,7 +3752,10 @@ the authenticated username as the common name, |
3744 | 3744 |
rather than the common name from the client cert. |
3745 | 3745 |
.\"********************************************************* |
3746 | 3746 |
.TP |
3747 |
-.B \-\-compat\-names [no\-remapping] (DEPRECATED) |
|
3747 |
+.B \-\-compat\-names [no\-remapping] |
|
3748 |
+.B DEPRECATED |
|
3749 |
+This option will be removed in OpenVPN 2.5 |
|
3750 |
+ |
|
3748 | 3751 |
Until OpenVPN v2.3 the format of the X.509 Subject fields was formatted |
3749 | 3752 |
like this: |
3750 | 3753 |
.IP |
... | ... |
@@ -3792,7 +3803,10 @@ to make the transition to the new formatting less intrusive. It will be |
3792 | 3792 |
removed in OpenVPN v2.5. So please update your scripts/plug-ins where necessary. |
3793 | 3793 |
.\"********************************************************* |
3794 | 3794 |
.TP |
3795 |
-.B \-\-no\-name\-remapping (DEPRECATED) |
|
3795 |
+.B \-\-no\-name\-remapping |
|
3796 |
+.B DEPRECATED |
|
3797 |
+This option will be removed in OpenVPN 2.5 |
|
3798 |
+ |
|
3796 | 3799 |
The |
3797 | 3800 |
.B \-\-no\-name\-remapping |
3798 | 3801 |
option is an alias for |
... | ... |
@@ -4150,13 +4164,29 @@ For more information on HMAC see |
4150 | 4150 |
.B \-\-cipher alg |
4151 | 4151 |
Encrypt data channel packets with cipher algorithm |
4152 | 4152 |
.B alg. |
4153 |
+ |
|
4153 | 4154 |
The default is |
4154 | 4155 |
.B BF-CBC, |
4155 |
-an abbreviation for Blowfish in Cipher Block Chaining mode. |
|
4156 |
+an abbreviation for Blowfish in Cipher Block Chaining mode. When cipher |
|
4157 |
+negotiation (NCP) is allowed, OpenVPN 2.4 and newer on both client and server |
|
4158 |
+side will automatically upgrade to |
|
4159 |
+.B AES-256-GCM. |
|
4160 |
+See |
|
4161 |
+.B \-\-ncp\-ciphers |
|
4162 |
+and |
|
4163 |
+.B \-\-ncp\-disable |
|
4164 |
+for more details on NCP. |
|
4156 | 4165 |
|
4157 |
-Using BF-CBC is no longer recommended, because of it's 64-bit block size. This |
|
4166 |
+Using |
|
4167 |
+.B BF-CBC |
|
4168 |
+is no longer recommended, because of its 64-bit block size. This |
|
4158 | 4169 |
small block size allows attacks based on collisions, as demonstrated by SWEET32. |
4159 |
-See https://community.openvpn.net/openvpn/wiki/SWEET32 for details. |
|
4170 |
+See https://community.openvpn.net/openvpn/wiki/SWEET32 for details. Due to |
|
4171 |
+this, support for |
|
4172 |
+.B BF-CBC, DES, CAST5, IDEA |
|
4173 |
+and |
|
4174 |
+.B RC2 |
|
4175 |
+ciphers will be removed in OpenVPN 2.6. |
|
4160 | 4176 |
|
4161 | 4177 |
To see other ciphers that are available with OpenVPN, use the |
4162 | 4178 |
.B \-\-show\-ciphers |
... | ... |
@@ -4166,14 +4196,6 @@ Set |
4166 | 4166 |
.B alg=none |
4167 | 4167 |
to disable encryption. |
4168 | 4168 |
|
4169 |
-As of OpenVPN 2.4, cipher negotiation (NCP) can override the cipher specified by |
|
4170 |
-.B \-\-cipher\fR. |
|
4171 |
-See |
|
4172 |
-.B \-\-ncp\-ciphers |
|
4173 |
-and |
|
4174 |
-.B \-\-ncp\-disable |
|
4175 |
-for more on NCP. |
|
4176 |
- |
|
4177 | 4169 |
.\"********************************************************* |
4178 | 4170 |
.TP |
4179 | 4171 |
.B \-\-ncp\-ciphers cipher_list |
... | ... |
@@ -4260,6 +4282,9 @@ supported by OpenSSL. |
4260 | 4260 |
.\"********************************************************* |
4261 | 4261 |
.TP |
4262 | 4262 |
.B \-\-no\-replay |
4263 |
+.B DEPRECATED |
|
4264 |
+This option will be removed in OpenVPN 2.5. |
|
4265 |
+ |
|
4263 | 4266 |
(Advanced) Disable OpenVPN's protection against replay attacks. |
4264 | 4267 |
Don't use this option unless you are prepared to make |
4265 | 4268 |
a tradeoff of greater efficiency in exchange for less |
... | ... |
@@ -4423,7 +4448,6 @@ This option only makes sense when replay protection is enabled |
4423 | 4423 |
.\"********************************************************* |
4424 | 4424 |
.TP |
4425 | 4425 |
.B \-\-no\-iv |
4426 |
- |
|
4427 | 4426 |
.B DEPRECATED |
4428 | 4427 |
This option will be removed in OpenVPN 2.5. |
4429 | 4428 |
|
... | ... |
@@ -4823,6 +4847,9 @@ Certificate Store GUI. |
4823 | 4823 |
.\"********************************************************* |
4824 | 4824 |
.TP |
4825 | 4825 |
.B \-\-key\-method m |
4826 |
+.B DEPRECATED |
|
4827 |
+This option will be removed in OpenVPN 2.5 |
|
4828 |
+ |
|
4826 | 4829 |
Use data channel key negotiation method |
4827 | 4830 |
.B m. |
4828 | 4831 |
The key method must match on both sides of the connection. |
... | ... |
@@ -5379,8 +5406,9 @@ as X509_<depth>_<attribute>=<value>. Multiple |
5379 | 5379 |
options can be defined to track multiple attributes. |
5380 | 5380 |
.\"********************************************************* |
5381 | 5381 |
.TP |
5382 |
-.B \-\-ns\-cert\-type client|server (DEPRECATED) |
|
5383 |
-This option is deprecated. Use the more modern equivalent |
|
5382 |
+.B \-\-ns\-cert\-type client|server |
|
5383 |
+.B DEPRECATED |
|
5384 |
+This option will be removed in OpenVPN 2.5. Use the more modern equivalent |
|
5384 | 5385 |
.B \-\-remote\-cert\-tls |
5385 | 5386 |
instead. This option will be removed in OpenVPN 2.5. |
5386 | 5387 |
|
... | ... |
@@ -415,8 +415,9 @@ static const char usage_message[] = |
415 | 415 |
" client instance.\n" |
416 | 416 |
"--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets\n" |
417 | 417 |
" to be dynamically allocated to connecting clients.\n" |
418 |
- "--ifconfig-pool-linear : Use individual addresses rather than /30 subnets\n" |
|
419 |
- " in tun mode. Not compatible with Windows clients.\n" |
|
418 |
+ "--ifconfig-pool-linear : (DEPRECATED) Use individual addresses rather \n" |
|
419 |
+ " than /30 subnets\n in tun mode. Not compatible with\n" |
|
420 |
+ " Windows clients.\n" |
|
420 | 421 |
"--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool\n" |
421 | 422 |
" data to file, at seconds intervals (default=600).\n" |
422 | 423 |
" If seconds=0, file will be treated as read-only.\n" |
... | ... |
@@ -434,7 +435,7 @@ static const char usage_message[] = |
434 | 434 |
" Only valid in a client-specific config file.\n" |
435 | 435 |
"--disable : Client is disabled.\n" |
436 | 436 |
" Only valid in a client-specific config file.\n" |
437 |
- "--client-cert-not-required : Don't require client certificate, client\n" |
|
437 |
+ "--client-cert-not-required : (DEPRECATED) Don't require client certificate, client\n" |
|
438 | 438 |
" will authenticate using username/password.\n" |
439 | 439 |
"--verify-client-cert [none|optional|require] : perform no, optional or\n" |
440 | 440 |
" mandatory client certificate verification.\n" |
... | ... |
@@ -455,7 +456,7 @@ static const char usage_message[] = |
455 | 455 |
" with those of the server will be disconnected.\n" |
456 | 456 |
"--auth-user-pass-optional : Allow connections by clients that don't\n" |
457 | 457 |
" specify a username/password.\n" |
458 |
- "--no-name-remapping : Allow Common Name and X509 Subject to include\n" |
|
458 |
+ "--no-name-remapping : (DEPRECATED) Allow Common Name and X509 Subject to include\n" |
|
459 | 459 |
" any printable character.\n" |
460 | 460 |
"--client-to-client : Internally route client-to-client traffic.\n" |
461 | 461 |
"--duplicate-cn : Allow multiple clients with the same common name to\n" |
... | ... |
@@ -539,13 +540,13 @@ static const char usage_message[] = |
539 | 539 |
"--prng alg [nsl] : For PRNG, use digest algorithm alg, and\n" |
540 | 540 |
" nonce_secret_len=nsl. Set alg=none to disable PRNG.\n" |
541 | 541 |
#ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH |
542 |
- "--keysize n : Size of cipher key in bits (optional).\n" |
|
542 |
+ "--keysize n : (DEPRECATED) Size of cipher key in bits (optional).\n" |
|
543 | 543 |
" If unspecified, defaults to cipher-specific default.\n" |
544 | 544 |
#endif |
545 | 545 |
#ifndef ENABLE_CRYPTO_MBEDTLS |
546 | 546 |
"--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n" |
547 | 547 |
#endif |
548 |
- "--no-replay : Disable replay protection.\n" |
|
548 |
+ "--no-replay : (DEPRECATED) Disable replay protection.\n" |
|
549 | 549 |
"--mute-replay-warnings : Silence the output of replay warnings to log file.\n" |
550 | 550 |
"--replay-window n [t] : Use a replay protection sliding window of size n\n" |
551 | 551 |
" and a time window of t seconds.\n" |
... | ... |
@@ -563,7 +564,7 @@ static const char usage_message[] = |
563 | 563 |
"(These options are meaningful only for TLS-mode)\n" |
564 | 564 |
"--tls-server : Enable TLS and assume server role during TLS handshake.\n" |
565 | 565 |
"--tls-client : Enable TLS and assume client role during TLS handshake.\n" |
566 |
- "--key-method m : Data channel key exchange method. m should be a method\n" |
|
566 |
+ "--key-method m : (DEPRECATED) Data channel key exchange method. m should be a method\n" |
|
567 | 567 |
" number, such as 1 (default), 2, etc.\n" |
568 | 568 |
"--ca file : Certificate authority file in .pem format containing\n" |
569 | 569 |
" root certificate.\n" |
... | ... |
@@ -6570,6 +6571,7 @@ add_option(struct options *options, |
6570 | 6570 |
{ |
6571 | 6571 |
VERIFY_PERMISSION(OPT_P_GENERAL); |
6572 | 6572 |
options->topology = TOP_P2P; |
6573 |
+ msg(M_WARN, "DEPRECATED OPTION: --ifconfig-pool-linear, use --topology p2p instead"); |
|
6573 | 6574 |
} |
6574 | 6575 |
else if (streq(p[0], "ifconfig-ipv6-pool") && p[1] && !p[2]) |
6575 | 6576 |
{ |