[Openvpn-devel,v2,5/8] doc/man: Mark compression options as deprecated

Message ID 20200716225338.611-6-davids@openvpn.net
State Accepted
Headers show
Series
  • man-page overhaul project - round 2
Related show

Commit Message

David Sommerseth July 16, 2020, 10:53 p.m.
Due to the VORACLE attack vector, compression in general is deprecated.
Make this clear in the man page.

Also remove an incorrect statement claiming --compress lzo is compatible
with --comp-lzo.  It is not, as --compress lzo uses a different
compression framing than --comp-lzo.

Signed-off-by: David Sommerseth <davids@openvpn.net>
---
 doc/man-sections/protocol-options.rst | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

Comments

Gert Doering July 17, 2020, 9:46 a.m. | #1
Acked-by: Gert Doering <gert@greenie.muc.de>

"By general agreement".

Your patch has been applied to the master branch.

commit 850fd5fab76403bb1a8e21b8d4272b138ce19934
Author: David Sommerseth
Date:   Fri Jul 17 00:53:35 2020 +0200

     doc/man: Mark compression options as deprecated

     Signed-off-by: David Sommerseth <davids@openvpn.net>
     Acked-by: Gert Doering <gert@greenie.muc.de>
     Message-Id: <20200716225338.611-6-davids@openvpn.net>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20417.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering

Patch

diff --git a/doc/man-sections/protocol-options.rst b/doc/man-sections/protocol-options.rst
index ae85a25e..a5a1253a 100644
--- a/doc/man-sections/protocol-options.rst
+++ b/doc/man-sections/protocol-options.rst
@@ -60,9 +60,7 @@  configured in a compatible way between both the local and remote side.
 
   The ``algorithm`` parameter may be :code:`lzo`, :code:`lz4`, or empty.
   LZO and LZ4 are different compression algorithms, with LZ4 generally
-  offering the best performance with least CPU usage. For backwards
-  compatibility with OpenVPN versions before v2.4, use :code:`lzo` (which
-  is identical to the older option ``--comp-lzo yes``).
+  offering the best performance with least CPU usage.
 
   If the ``algorithm`` parameter is empty, compression will be turned off,
   but the packet framing for compression will still be enabled, allowing a
@@ -79,8 +77,9 @@  configured in a compatible way between both the local and remote side.
   *not* enable compression.
 
 --comp-lzo mode
-  *DEPRECATED* This option will be removed in a future OpenVPN release.
-  Use the newer ``--compress`` instead.
+  **DEPRECATED** Enable LZO compression algorithm.  Compression is
+  generally not recommended.  VPN tunnels which uses compression are
+  suspectible to the VORALCE attack vector.
 
   Use LZO compression -- may add up to 1 byte per packet for incompressible
   data. ``mode`` may be :code:`yes`, :code:`no`, or :code:`adaptive`
@@ -106,9 +105,9 @@  configured in a compatible way between both the local and remote side.
   link, the second sets the client side.
 
 --comp-noadapt
-  When used in conjunction with ``--comp-lzo``, this option will disable
-  OpenVPN's adaptive compression algorithm. Normally, adaptive compression
-  is enabled with ``--comp-lzo``.
+  **DEPRECATED** When used in conjunction with ``--comp-lzo``, this option
+  will disable OpenVPN's adaptive compression algorithm. Normally, adaptive
+  compression is enabled with ``--comp-lzo``.
 
   Adaptive compression tries to optimize the case where you have
   compression enabled, but you are sending predominantly incompressible