From patchwork Thu Jul 9 00:15:56 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1222 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id gNh0GajuBl+hVAAAIUCqbw for ; Thu, 09 Jul 2020 06:17:12 -0400 Received: from proxy5.mail.ord1c.rsapps.net ([172.28.255.1]) by director12.mail.ord1d.rsapps.net with LMTP id uPh7GajuBl8oTwAAIasKDg ; Thu, 09 Jul 2020 06:17:12 -0400 Received: from smtp12.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy5.mail.ord1c.rsapps.net with LMTP id oOkWGajuBl98OAAAPBRIyg ; Thu, 09 Jul 2020 06:17:12 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp12.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 5a357b38-c1cd-11ea-8584-bc305bf03e5c-1-1 Received: from [216.105.38.7] ([216.105.38.7:45578] helo=lists.sourceforge.net) by smtp12.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id CF/6D-09343-7AEE60F5; Thu, 09 Jul 2020 06:17:12 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jtTbW-0006uS-V6; Thu, 09 Jul 2020 10:16:34 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jtTbC-0006tp-Fp for openvpn-devel@lists.sourceforge.net; Thu, 09 Jul 2020 10:16:14 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=NAe2o4E7/9mSy4YYa4KFRgc7aiGRx0gutV+3iYMqPog=; b=T15Q0uFdPYsBxRLQ53AEISAsqc PHU7Hl33Beg9WQI4qxiJjB2wE95G+M5Ysvq9Co1CgIPhkUG4k8eRSgo/OmhdoyC8TAGpBDJ04C33W WfRSyDsg/Fw/HukVtMhzclVj0HIqc0K0vl8lcVy00eHjOWyrfQrm4LwlAuwL0oJ71lIg=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:MIME-Version: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=NAe2o4E7/9mSy4YYa4KFRgc7aiGRx0gutV+3iYMqPog=; b=GPwO7HECN8S8Se6Dr+6xuBO/Dp 5EVn4ISM0C9qUjM8yPOXQmVIU3OR/k4hF4DdDZU8BprMvy+J0ksPgmQEMwjvTzMRe2GnGEaO5h7d2 HN0Wl0uksDPuMOsfKa7bUdlXkUhj6v7TRCqqHK5uGGHScwdzLsuvgQVnxzo8u5GFQmy4=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jtTbB-00F1Gp-6i for openvpn-devel@lists.sourceforge.net; Thu, 09 Jul 2020 10:16:14 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.92.3 (FreeBSD)) (envelope-from ) id 1jtTb1-000HXg-JU for openvpn-devel@lists.sourceforge.net; Thu, 09 Jul 2020 12:16:03 +0200 Received: (nullmailer pid 11987 invoked by uid 10006); Thu, 09 Jul 2020 10:16:03 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 9 Jul 2020 12:15:56 +0200 Message-Id: <20200709101603.11941-1-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1jtTbB-00F1Gp-6i Subject: [Openvpn-devel] [PATCH 1/8] Deprecate ncp-disable and add improved ncp to Changes.rst X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- Changes.rst | 18 ++++++++++++++++++ src/openvpn/options.c | 5 ++++- 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/Changes.rst b/Changes.rst index 00dd6ed8..2752d29b 100644 --- a/Changes.rst +++ b/Changes.rst @@ -13,6 +13,24 @@ ChaCha20-Poly1305 cipher support Added support for using the ChaCha20-Poly1305 cipher in the OpenVPN data channel. +Improved Data channel cipher negotiation + OpenVPN clients will now signal all supported cipher from the + ``ncp-ciphers`` option to the server via ``IV_CIPHERS``. OpenVPN + servers will select the first common cipher from the ``ncp-ciphers`` + list instead of blindly pushing the first cipher of the list. This + allows to use a configuration like + ``ncp-ciphers ChaCha20-Poly1305:AES-256-GCM`` on the server that + prefers ChaCha20-Poly1305 but uses it only if the client supports it. + +Deprecated features +------------------- +For an up-to-date list of all deprecated options, see this wiki page: +https://community.openvpn.net/openvpn/wiki/DeprecatedOptions + +- ``ncp-disable`` has been deprecated + With the improved and matured data channel cipher negioation, the use + of ``ncp-disable`` should not be necessary anymore. + Overview of changes in 2.4 ========================== diff --git a/src/openvpn/options.c b/src/openvpn/options.c index a72b677a..75871b46 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -545,7 +545,7 @@ static const char usage_message[] = " (default=%s).\n" " Set alg=none to disable encryption.\n" "--ncp-ciphers list : List of ciphers that are allowed to be negotiated.\n" - "--ncp-disable : Disable cipher negotiation.\n" + "--ncp-disable : (DEPRECATED) Disable cipher negotiation.\n" "--prng alg [nsl] : For PRNG, use digest algorithm alg, and\n" " nonce_secret_len=nsl. Set alg=none to disable PRNG.\n" #ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH @@ -7904,6 +7904,9 @@ add_option(struct options *options, { VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE); options->ncp_enabled = false; + msg(M_WARN, "DEPRECATED OPTION: ncp-disable. Disabling dynamic " + "cipher negioating is a depracted debug feature that will " + "be removed in OpenVPN 2.6"); } else if (streq(p[0], "prng") && p[1] && !p[3]) {