[Openvpn-devel,v2] Deprecate non TLS mode in OpenVPN

Message ID	20210328090530.10653-1-arne@rfc2549.org
State	Accepted
Headers	show Return-Path: <openvpn-devel-bounces@lists.sourceforge.net> From: Arne Schwabe <arne@rfc2549.org> To: openvpn-devel@lists.sourceforge.net Date: Sun, 28 Mar 2021 11:05:30 +0200 Message-Id: <20210328090530.10653-1-arne@rfc2549.org> In-Reply-To: <20210325000121.10331-1-arne@rfc2549.org> References: <20210325000121.10331-1-arne@rfc2549.org> SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record Subject: [Openvpn-devel] [PATCH v2] Deprecate non TLS mode in OpenVPN Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox
Series	[Openvpn-devel,v2] Deprecate non TLS mode in OpenVPN \| expand [Openvpn-devel,v2] Deprecate non TLS mode in OpenVPN

Message ID

20210328090530.10653-1-arne@rfc2549.org

State

Accepted

Headers

From: Arne Schwabe <arne@rfc2549.org>
To: openvpn-devel@lists.sourceforge.net
Date: Sun, 28 Mar 2021 11:05:30 +0200
Message-Id: <20210328090530.10653-1-arne@rfc2549.org>
In-Reply-To: <20210325000121.10331-1-arne@rfc2549.org>
References: <20210325000121.10331-1-arne@rfc2549.org>
Subject: [Openvpn-devel] [PATCH v2] Deprecate non TLS mode in OpenVPN
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: openvpn-devel-bounces@lists.sourceforge.net

Series

[Openvpn-devel,v2] Deprecate non TLS mode in OpenVPN | expand

Commit Message

Arne Schwabe March 27, 2021, 10:05 p.m. UTC

The non-TLS mode is a relict from OpenVPN 1.x or 2.0. When tls mode was
introduce the advantages of TLS over non-tls were small but tls mode
evolved to include a lot more features. (NCP, multipeer, AEAD ciphers to name
a few).

Today VPN that use --secret are mainly used because of its relative easy to
setup and requiring to setup a PKI. This shortcoming of TLS mode should be
addressed now with the peer-fingerprint option.

But the biggest reason to deprecate --secret is that the use of a fixed
pre-shared key and lack of any of session key. No forward secrecy is
possible and any VPN traffic can be decrypted later should the --secret
by anyone who can get the session key. The cryptography overall used here
was okay when --secret was introduced but is not acceptable by today's
standard anymore.

Patch V2: Improve commit message
---
 doc/man-sections/protocol-options.rst |  2 +-
 src/openvpn/options.c                 | 12 +++++++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

Comments

Gert Doering April 2, 2021, 10:29 p.m. UTC | #1

Acked-by: Gert Doering <gert@greenie.muc.de>

The code change is simple enough to review.  My p2p tests now complain
to me in large letters that I should not be doing this (but still work
fine).

I have spent a bit of time on the commit message and I hope I made it 
even more clear.

I have added a note to Changes.rst

Your patch has been applied to the master branch.

commit b72b5ff5e80135e85acc54b807797947528f1963
Author: Arne Schwabe
Date:   Sun Mar 28 11:05:30 2021 +0200

     Deprecate non TLS mode in OpenVPN

     Acked-by: Gert Doering <gert@greenie.muc.de>
     Message-Id: <20210328090530.10653-1-arne@rfc2549.org>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21868.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering

diff --git a/doc/man-sections/protocol-options.rst b/doc/man-sections/protocol-options.rst
index e9d5d63d4..bb08fa3ef 100644
--- a/doc/man-sections/protocol-options.rst
+++ b/doc/man-sections/protocol-options.rst
@@ -226,7 +226,7 @@  configured in a compatible way between both the local and remote side.
   disables cipher negotiation.
 
 --secret args
-  Enable Static Key encryption mode (non-TLS). Use pre-shared secret
+  **DEPRECATED** Enable Static Key encryption mode (non-TLS). Use pre-shared secret
   ``file`` which was generated with ``--genkey``.
 
   Valid syntaxes:
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 51bd56c2b..4ef8924f5 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -514,7 +514,7 @@  static const char usage_message[] =
     "\n"
     "Data Channel Encryption Options (must be compatible between peers):\n"
     "(These options are meaningful for both Static Key & TLS-mode)\n"
-    "--secret f [d]  : Enable Static Key encryption mode (non-TLS).\n"
+    "--secret f [d]  : (DEPRECATED) Enable Static Key encryption mode (non-TLS).\n"
     "                  Use shared secret file f, generate with --genkey.\n"
     "                  The optional d parameter controls key directionality.\n"
     "                  If d is specified, use separate keys for each\n"
@@ -2564,6 +2564,15 @@  options_postprocess_verify_ce(const struct options *options,
         msg(M_USAGE, "specify only one of --tls-server, --tls-client, or --secret");
     }
 
+    if (!options->tls_server || !options->tls_client)
+    {
+        msg(M_INFO, "DEPRECATION: No tls-client or tls-server option in "
+                    "configuration detected. OpenVPN 2.7 will remove the "
+                    "functionality to run a VPN without TLS. "
+                    "See the examples section in the manual page for "
+                    "examples of a similar quick setup with peer-fingerprint.");
+    }
+
     if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL))
     {
         msg(M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
@@ -7862,6 +7871,7 @@  add_option(struct options *options,
     }
     else if (streq(p[0], "secret") && p[1] && !p[3])
     {
+        msg(M_WARN, "DEPRECATED OPTION: The option --secret is deprecated.");
         VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
         options->shared_secret_file = p[1];
         options->shared_secret_file_inline = is_inline;