GitList

Browse code

Deprecate --keysize

The --keysize option can only be used with already deprecated ciphers,
such as CAST5, RC2 or BF. Deviating from the default keysize is
generally not a good idea (see man page text), and otherwise only
complicates our code.

Since we will also remove the support for weak ciphers (ciphers with
cipher block length less than 128 bits) in OpenVPN 2.6 as well, we
start the deprecation of this option instantly.

[DS: Slightly amended the patch, referencing OpenVPN 2.6 and added
a few more details to Changes.rst and the commit message]

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20170701112951.19119-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15004.html
Signed-off-by: David Sommerseth <davids@openvpn.net>

Steffan Karger authored on 2017/07/01 20:29:51
Showing 3 changed files

Changes.rst index 0b2b04d..4358f78 100644
doc/openvpn.8 index 20bdd91..056ae14 100644
src/openvpn/options.c index c4bd8cb..ef7009c 100644

Changes.rst

History View file @ ad178f0

@@ -178,6 +178,9 @@ Deprecated features
                      - ``--no-iv`` is deprecated in 2.4 and will be removed in 2.5.
                     +- ``--keysize`` is deprecated and will be removed in v2.6 together
                     +  with the support of ciphers with cipher block size less than 128 bits.
+                    +
                      User-visible Changes
                      --------------------

doc/openvpn.8

History View file @ ad178f0

@@ -4217,6 +4217,9 @@ negotiation.
                      .\"*********************************************************
                      .TP
                      .B \-\-keysize n
                     +.B DEPRECATED
                     +This option will be removed in OpenVPN 2.6.
+                    +
                      Size of cipher key in bits (optional).
                      If unspecified, defaults to cipher-specific default.  The
                      .B \-\-show\-ciphers

src/openvpn/options.c

History View file @ ad178f0

@@ -2484,6 +2484,11 @@ options_postprocess_verify_ce(const struct options *options, const struct connec
                              msg(M_USAGE, "NCP cipher list contains unsupported ciphers.");
+                         }
                     +    if (options->keysize)
                     +    {
                     +        msg(M_WARN, "WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6");
                     +    }
+                    +
                          /*
                           * Check consistency of replay options
                           */