Message ID | 20200717171544.21632-1-davids@openvpn.net |
---|---|
State | Accepted |
Headers | show |
Series | [Openvpn-devel] Remove --no-iv | expand |
Acked-by: Gert Doering <gert@greenie.muc.de> I have taken this one out of sequence (it is intended to go after the --no-replay patch), because *this* one is simple, and the other one is quite a bit above my pay grade - plus it modifies stuff that Arne is working on (the frame adjustment stuff), so that needs much more careful scrutiny. The patch itself is conflict-free, but the patch context in Changes.rst and doc/man-sections/server-options.rst is different. Your patch has been applied to the master branch. commit 4b4b34da9811da9e6912c89cd68be3cfe1684a97 Author: David Sommerseth Date: Fri Jul 17 19:15:44 2020 +0200 Remove --no-iv Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20200717171544.21632-1-davids@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20460.html Signed-off-by: Gert Doering <gert@greenie.muc.de> -- kind regards, Gert Doering
diff --git a/Changes.rst b/Changes.rst index e279d360..7d4fdec6 100644 --- a/Changes.rst +++ b/Changes.rst @@ -39,6 +39,9 @@ https://community.openvpn.net/openvpn/wiki/DeprecatedOptions adds a security weakness. This was also highlighted during the `OpenVPN 2.4 security audit <https://community.openvpn.net/openvpn/wiki/QuarkslabAndCryptographyEngineerAudits#OVPN-03-3:Insecureconfigurationoptions:--no-replay>`_. +- ``no-iv`` has been removed + This option was made into a NOOP option with OpenVPN 2.4. This has now + been completely removed. Overview of changes in 2.4 ========================== diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index 2381f5c8..75d174ea 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -399,7 +399,7 @@ fast hardware. SSL/TLS authentication must be used in this mode. ``link-mtu``, ``tun-mtu``, ``proto``, ``ifconfig``, ``comp-lzo``, ``fragment``, ``keydir``, ``cipher``, ``auth``, ``keysize``, ``secret``, - ``no-iv``, ``tls-auth``, ``key-method``, ``tls-server`` + ``tls-auth``, ``key-method``, ``tls-server`` and ``tls-client``. This option requires that ``--disable-occ`` NOT be used. diff --git a/doc/man-sections/unsupported-options.rst b/doc/man-sections/unsupported-options.rst index 8aff5dd9..05ba3ca2 100644 --- a/doc/man-sections/unsupported-options.rst +++ b/doc/man-sections/unsupported-options.rst @@ -19,7 +19,7 @@ longer supported --no-iv Removed in OpenVPN 2.5. This option should not be used as it weakens the - VPN tunnel security. + VPN tunnel security. This has been a NOOP option since OpenVPN 2.4. --no-replay Removed in OpenVPN 2.5. This option should not be used as it weakens the diff --git a/src/openvpn/options.c b/src/openvpn/options.c index e1658472..0f0b37d1 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -7985,11 +7985,6 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_GENERAL); options->mute_replay_warnings = true; } - else if (streq(p[0], "no-iv") && !p[1]) - { - msg(msglevel, - "--no-iv is no longer supported. Remove it from client and server configs."); - } else if (streq(p[0], "replay-persist") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL);
This finializes the depreacation started in OpenVPN 2.4, where --no-iv was made into a NOOP option. Signed-off-by: David Sommerseth <davids@openvpn.net> --- Changes.rst | 3 +++ doc/man-sections/server-options.rst | 2 +- doc/man-sections/unsupported-options.rst | 2 +- src/openvpn/options.c | 5 ----- 4 files changed, 5 insertions(+), 7 deletions(-)