[Openvpn-devel,1/8] Deprecate ncp-disable and add improved ncp to Changes.rst

Message ID 20200709101603.11941-1-arne@rfc2549.org
State Accepted
Headers show
Series
  • [Openvpn-devel,1/8] Deprecate ncp-disable and add improved ncp to Changes.rst
Related show

Commit Message

Arne Schwabe July 9, 2020, 10:15 a.m.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
 Changes.rst           | 18 ++++++++++++++++++
 src/openvpn/options.c |  5 ++++-
 2 files changed, 22 insertions(+), 1 deletion(-)

Comments

Antonio Quartulli July 9, 2020, 2:07 p.m. | #1
Hi,

On 09/07/2020 12:15, Arne Schwabe wrote:
> Signed-off-by: Arne Schwabe <arne@rfc2549.org>
> ---
>  Changes.rst           | 18 ++++++++++++++++++
>  src/openvpn/options.c |  5 ++++-
>  2 files changed, 22 insertions(+), 1 deletion(-)
> 
> diff --git a/Changes.rst b/Changes.rst
> index 00dd6ed8..2752d29b 100644
> --- a/Changes.rst
> +++ b/Changes.rst
> @@ -13,6 +13,24 @@ ChaCha20-Poly1305 cipher support
>      Added support for using the ChaCha20-Poly1305 cipher in the OpenVPN data
>      channel.
>  
> +Improved Data channel cipher negotiation
> +    OpenVPN clients will now signal all supported cipher from the
                                                        ^^^ cipherS

> +    ``ncp-ciphers`` option to the server via ``IV_CIPHERS``. OpenVPN
> +    servers will select the first common cipher from the ``ncp-ciphers``
> +    list instead of blindly pushing the first cipher of the list. This
> +    allows to use a configuration like
> +    ``ncp-ciphers ChaCha20-Poly1305:AES-256-GCM`` on the server that
> +    prefers ChaCha20-Poly1305 but uses it only if the client supports it.
> +
> +Deprecated features
> +-------------------
> +For an up-to-date list of all deprecated options, see this wiki page:
> +https://community.openvpn.net/openvpn/wiki/DeprecatedOptions
> +
> +- ``ncp-disable`` has been deprecated
> +    With the improved and matured data channel cipher negioation, the use

                                                         ^^^ negotiation

> +    of ``ncp-disable`` should not be necessary anymore.
> +
>  
>  Overview of changes in 2.4
>  ==========================
> diff --git a/src/openvpn/options.c b/src/openvpn/options.c
> index a72b677a..75871b46 100644
> --- a/src/openvpn/options.c
> +++ b/src/openvpn/options.c
> @@ -545,7 +545,7 @@ static const char usage_message[] =
>      "                  (default=%s).\n"
>      "                  Set alg=none to disable encryption.\n"
>      "--ncp-ciphers list : List of ciphers that are allowed to be negotiated.\n"
> -    "--ncp-disable   : Disable cipher negotiation.\n"
> +    "--ncp-disable   : (DEPRECATED) Disable cipher negotiation.\n"
>      "--prng alg [nsl] : For PRNG, use digest algorithm alg, and\n"
>      "                   nonce_secret_len=nsl.  Set alg=none to disable PRNG.\n"
>  #ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH
> @@ -7904,6 +7904,9 @@ add_option(struct options *options,
>      {
>          VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE);
>          options->ncp_enabled = false;
> +        msg(M_WARN, "DEPRECATED OPTION: ncp-disable. Disabling dynamic "
> +                    "cipher negioating is a depracted debug feature that will "
                               ^^^ negotiation    ^^^ deprecated

> +                    "be removed in OpenVPN 2.6");
>      }
>      else if (streq(p[0], "prng") && p[1] && !p[3])
>      {
> 


I only have one doubt about how visible the message is:

2020-07-09 16:05:08 DEPRECATED OPTION: ncp-disable. Disabling dynamic
cipher negioating is a depracted debug feature that will be removed in
OpenVPN 2.6

appears at the top of the log (first line actually) and does not seem
easy to spot.

How about adding some ********* or ######## to make it pop out of the
screen?

I personally did not see it immediately, even though I knew it was
there! (note: it may just be me)
Gert Doering July 9, 2020, 3:52 p.m. | #2
Acked-by: Gert Doering <gert@greenie.muc.de>

Taken the review by Antonio and the subsequent discussion on IRC on 
"where should the message go?" - we leave it where it is, because all the
other DEPRECATED OPTIONS warnings are done the same way (except keysize).

Typos fixed, message wrapped slightly differently to avoid line wrap.

Not checked in any significant way (besides "make" compile test, just to be
sure I didn't break anything).

Your patch has been applied to the master branch.

commit 2b09c1405fdfffe15b2b444b15cce7820263a048
Author: Arne Schwabe
Date:   Thu Jul 9 12:15:56 2020 +0200

     Deprecate ncp-disable and add improved ncp to Changes.rst

     Signed-off-by: Arne Schwabe <arne@rfc2549.org>
     Acked-by: Gert Doering <gert@greenie.muc.de>
     Message-Id: <20200709101603.11941-1-arne@rfc2549.org>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20257.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering

Patch

diff --git a/Changes.rst b/Changes.rst
index 00dd6ed8..2752d29b 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -13,6 +13,24 @@  ChaCha20-Poly1305 cipher support
     Added support for using the ChaCha20-Poly1305 cipher in the OpenVPN data
     channel.
 
+Improved Data channel cipher negotiation
+    OpenVPN clients will now signal all supported cipher from the
+    ``ncp-ciphers`` option to the server via ``IV_CIPHERS``. OpenVPN
+    servers will select the first common cipher from the ``ncp-ciphers``
+    list instead of blindly pushing the first cipher of the list. This
+    allows to use a configuration like
+    ``ncp-ciphers ChaCha20-Poly1305:AES-256-GCM`` on the server that
+    prefers ChaCha20-Poly1305 but uses it only if the client supports it.
+
+Deprecated features
+-------------------
+For an up-to-date list of all deprecated options, see this wiki page:
+https://community.openvpn.net/openvpn/wiki/DeprecatedOptions
+
+- ``ncp-disable`` has been deprecated
+    With the improved and matured data channel cipher negioation, the use
+    of ``ncp-disable`` should not be necessary anymore.
+
 
 Overview of changes in 2.4
 ==========================
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index a72b677a..75871b46 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -545,7 +545,7 @@  static const char usage_message[] =
     "                  (default=%s).\n"
     "                  Set alg=none to disable encryption.\n"
     "--ncp-ciphers list : List of ciphers that are allowed to be negotiated.\n"
-    "--ncp-disable   : Disable cipher negotiation.\n"
+    "--ncp-disable   : (DEPRECATED) Disable cipher negotiation.\n"
     "--prng alg [nsl] : For PRNG, use digest algorithm alg, and\n"
     "                   nonce_secret_len=nsl.  Set alg=none to disable PRNG.\n"
 #ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH
@@ -7904,6 +7904,9 @@  add_option(struct options *options,
     {
         VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE);
         options->ncp_enabled = false;
+        msg(M_WARN, "DEPRECATED OPTION: ncp-disable. Disabling dynamic "
+                    "cipher negioating is a depracted debug feature that will "
+                    "be removed in OpenVPN 2.6");
     }
     else if (streq(p[0], "prng") && p[1] && !p[3])
     {