@@ -20,6 +20,8 @@ NTLMv1 authentication support for HTTP proxies has been removed.

     When configured to authenticate with NTLMv1 (``ntlm`` keyword in

     ``--http-proxy``) OpenVPN will try NTLMv2 instead.

+``persist-key`` option has been enabled by default.

+    All the keys will be kept in memory across restart.

 Overview of changes in 2.6

 ==========================

@@ -39,7 +39,6 @@ Here is an example of connection profile usage::

    http-proxy 192.168.0.8 8080

    </connection>

-   persist-key

    persist-tun

    pkcs12 client.p12

    remote-cert-tls server

@@ -302,17 +302,6 @@ which mode OpenVPN is configured as.

   Change process priority after initialization (``n`` greater than 0 is

   lower priority, ``n`` less than zero is higher priority).

-  Don't re-read key files across :code:`SIGUSR1` or ``--ping-restart``.

-

-  This option can be combined with ``--user`` to allow restarts

-  triggered by the :code:`SIGUSR1` signal. Normally if you drop root

-  privileges in OpenVPN, the daemon cannot be restarted since it will now

-  be unable to re-read protected key files.

-

-  This option solves the problem by persisting keys across :code:`SIGUSR1`

-  resets, so they don't need to be re-read.

-

 --providers providers

   Load the list of (OpenSSL) providers. This is mainly useful for using an

   external provider for key management like tpm2-openssl or to load the

@@ -402,7 +391,7 @@ which mode OpenVPN is configured as.

   Like with chroot, complications can result when scripts or restarts are

   executed after the setcon operation, which is why you should really

-  consider using the ``--persist-key`` and ``--persist-tun`` options.

+  consider using the ``--persist-tun`` option.

 --status args

   Write operational status to ``file`` every ``n`` seconds. ``n`` defaults

@@ -283,7 +283,7 @@ the local and the remote host.

   See the signals section below for more information on :code:`SIGUSR1`.

   Note that the behavior of ``SIGUSR1`` can be modified by the

-  ``--persist-tun``, ``--persist-key``, ``--persist-local-ip`` and

+  ``--persist-tun``, ``--persist-local-ip`` and

   ``--persist-remote-ip`` options.

   Also note that ``--ping-exit`` and ``--ping-restart`` are mutually

@@ -452,7 +452,7 @@ fast hardware. SSL/TLS authentication must be used in this mode.

   ``--route``, ``--route-gateway``, ``--route-delay``,

   ``--redirect-gateway``, ``--ip-win32``, ``--dhcp-option``, ``--dns``,

   ``--inactive``, ``--ping``, ``--ping-exit``, ``--ping-restart``,

-  ``--setenv``, ``--auth-token``, ``--persist-key``, ``--persist-tun``,

+  ``--setenv``, ``--auth-token``, ``--persist-tun``,

   ``--echo``, ``--comp-lzo``, ``--socket-flags``, ``--sndbuf``,

   ``--rcvbuf``, ``--session-timeout``

@@ -10,9 +10,8 @@ SIGNALS

     Like :code:`SIGHUP``, except don't re-read configuration file, and

     possibly don't close and reopen TUN/TAP device, re-read key files,

     preserve local IP address/port, or preserve most recently authenticated

-    remote IP address/port based on ``--persist-tun``, ``--persist-key``,

-    ``--persist-local-ip`` and ``--persist-remote-ip`` options respectively

-    (see above).

+    remote IP address/port based on ``--persist-tun``, ``--persist-local-ip``

+    and ``--persist-remote-ip`` options respectively (see above).

     This signal may also be internally generated by a timeout condition,

     governed by the ``--ping-restart`` option.

@@ -42,3 +42,6 @@ longer supported

 --prng

   Removed in OpenVPN 2.6.  We now always use the PRNG of the SSL library.

+

+--persist-key

+  Ignored since OpenVPN 2.7. Keys are now always persisted across restarts.

\ No newline at end of file

@@ -62,7 +62,6 @@ nobind

 ;group openvpn

 # Try to preserve some state across restarts.

-persist-key

 persist-tun

 # If you are connecting through an

@@ -274,11 +274,10 @@ cipher AES-256-CBC

 ;user openvpn

 ;group openvpn

-# The persist options will try to avoid

+# The persist option will try to avoid

 # accessing certain resources on restart

 # that may no longer be accessible because

 # of the privilege downgrade.

-persist-key

 persist-tun

 # Output a short status file showing

@@ -89,7 +89,6 @@ secret key.txt

 ; ping-restart 60

 ; ping-timer-rem

 ; persist-tun

-; persist-key

 ; resolv-retry 86400

 # keep-alive ping

@@ -3559,14 +3559,6 @@ do_option_warnings(struct context *c)

         {

             msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");

         }

-        if (!o->persist_key

-#ifdef ENABLE_PKCS11

-            && !o->pkcs11_id

-#endif

-            )

-        {

-            msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail");

-        }

     }

     if (o->chroot_dir && !(o->username && o->groupname))

@@ -3857,7 +3849,7 @@ static void

 do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)

 {

     /*

-     * always free the tls_auth/crypt key. If persist_key is true, the key will

+     * always free the tls_auth/crypt key. The key will

      * be reloaded from memory (pre-cached)

      */

     free_key_ctx(&c->c1.ks.tls_crypt_v2_server_key);

@@ -3866,7 +3858,7 @@ do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)

     buf_clear(&c->c1.ks.tls_crypt_v2_wkc);

     free_buf(&c->c1.ks.tls_crypt_v2_wkc);

-    if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key))

+    if (!(c->sig->signal_received == SIGUSR1))

     {

         key_schedule_free(&c->c1.ks, free_ssl_ctx);

     }

@@ -48,7 +48,7 @@

 /*

  * Our global key schedules, packaged thusly

- * to facilitate --persist-key.

+ * to facilitate key persistence.

  */

 struct key_schedule

@@ -273,7 +273,6 @@ static const char usage_message[] =

     "--persist-tun   : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n"

     "--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n"

     "--persist-local-ip  : Keep local IP address across SIGUSR1 or --ping-restart.\n"

-    "--persist-key   : Don't re-read key files across SIGUSR1 or --ping-restart.\n"

 #if PASSTOS_CAPABILITY

     "--passtos       : TOS passthrough (applies to IPv4 only).\n"

 #endif

@@ -1857,7 +1856,6 @@ show_settings(const struct options *o)

     SHOW_BOOL(persist_tun);

     SHOW_BOOL(persist_local_ip);

     SHOW_BOOL(persist_remote_ip);

-    SHOW_BOOL(persist_key);

 #if PASSTOS_CAPABILITY

     SHOW_BOOL(passtos);

@@ -3240,18 +3238,16 @@ options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce)

         ce->tls_crypt_v2_file_inline = o->tls_crypt_v2_file_inline;

     }

-    /* Pre-cache tls-auth/crypt(-v2) key file if persist-key was specified and

+    /* Pre-cache tls-auth/crypt(-v2) key file if

      * keys were not already embedded in the config file.

      */

-    if (o->persist_key)

-    {

-        connection_entry_preload_key(&ce->tls_auth_file,

-                                     &ce->tls_auth_file_inline, &o->gc);

-        connection_entry_preload_key(&ce->tls_crypt_file,

-                                     &ce->tls_crypt_file_inline, &o->gc);

-        connection_entry_preload_key(&ce->tls_crypt_v2_file,

-                                     &ce->tls_crypt_v2_file_inline, &o->gc);

-    }

+    connection_entry_preload_key(&ce->tls_auth_file,

+                                 &ce->tls_auth_file_inline, &o->gc);

+    connection_entry_preload_key(&ce->tls_crypt_file,

+                                 &ce->tls_crypt_file_inline, &o->gc);

+    connection_entry_preload_key(&ce->tls_crypt_v2_file,

+                                 &ce->tls_crypt_v2_file_inline, &o->gc);

+

     if (!proto_is_udp(ce->proto) && ce->explicit_exit_notification)

     {

@@ -6963,7 +6959,8 @@ add_option(struct options *options,

     else if (streq(p[0], "persist-key") && !p[1])

     {

         VERIFY_PERMISSION(OPT_P_PERSIST);

-        options->persist_key = true;

+        msg(M_WARN, "DEPRECATED: --persist-key option ignored. "

+            "Keys are now always persisted across restarts. ");

     }

     else if (streq(p[0], "persist-local-ip") && !p[1])

     {

@@ -344,7 +344,6 @@ struct options

     bool persist_tun;           /* Don't close/reopen TUN/TAP dev on SIGUSR1 or PING_RESTART */

     bool persist_local_ip;      /* Don't re-resolve local address on SIGUSR1 or PING_RESTART */

     bool persist_remote_ip;     /* Don't re-resolve remote address on SIGUSR1 or PING_RESTART */

-    bool persist_key;           /* Don't re-read key files on SIGUSR1 or PING_RESTART */

 #if PASSTOS_CAPABILITY

     bool passtos;