@@ -235,7 +235,7 @@ configured in a compatible way between both the local and remote side.
disables cipher negotiation.
--secret args
- Enable Static Key encryption mode (non-TLS). Use pre-shared secret
+ **DEPRECATED** Enable Static Key encryption mode (non-TLS). Use pre-shared secret
``file`` which was generated with ``--genkey``.
Valid syntaxes:
@@ -514,7 +514,7 @@ static const char usage_message[] =
"\n"
"Data Channel Encryption Options (must be compatible between peers):\n"
"(These options are meaningful for both Static Key & TLS-mode)\n"
- "--secret f [d] : Enable Static Key encryption mode (non-TLS).\n"
+ "--secret f [d] : (DEPRECATED) Enable Static Key encryption mode (non-TLS).\n"
" Use shared secret file f, generate with --genkey.\n"
" The optional d parameter controls key directionality.\n"
" If d is specified, use separate keys for each\n"
@@ -2564,6 +2564,15 @@ options_postprocess_verify_ce(const struct options *options,
msg(M_USAGE, "specify only one of --tls-server, --tls-client, or --secret");
}
+ if (!options->tls_server || !options->tls_client)
+ {
+ msg(M_INFO, "DEPRECATION: No tls-client or tls-server option in "
+ "configuration detected. OpenVPN 2.7 will remove the "
+ "functionality to run a VPN without TLS. "
+ "See the examples section in the manual page for "
+ "examples of a similar quick setup with peer-fingerprint.");
+ }
+
if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL))
{
msg(M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
@@ -7868,6 +7877,7 @@ add_option(struct options *options,
}
else if (streq(p[0], "secret") && p[1] && !p[3])
{
+ msg(M_WARN, "DEPRECATED OPTION: The option --secret is deprecated. ");
VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
options->shared_secret_file = p[1];
options->shared_secret_file_inline = is_inline;
The non-TLS mode is a relict from OpenVPN 1.x or 2.0. When tls mode was introduce the advantages of TLS over non-tls were small but tls mode evolved to include a lot more features. (NCP, multipeer, AEAD ciphers to name a few). Today VPN that use --secret are mainly used because of its relative easy to setup and requiring to setup a PKI. This shortcoming of TLS mode should be addressed now with the peer-fingerprint option. Signed-off-by: Arne Schwabe <arne@rfc2549.org> --- doc/man-sections/protocol-options.rst | 2 +- src/openvpn/options.c | 12 +++++++++++- 2 files changed, 12 insertions(+), 2 deletions(-)