@@ -1,3 +1,15 @@
+Overview of changes in 2.7
+==========================
+``secret`` support has been removed by default.
+ static key mode (non-TLS) is no longer considered "good and secure enough"
+ for today's requirements. Use TLS mode instead. If deploying a PKI CA
+ is considered "too complicated", using ``--peer-fingerprint`` makes
+ TLS mode about as easy as using ``--secret``.
+
+ This mode can still be enabled by using
+ ``--allow-deprecated-insecure-static-crypto`` but will be removed in
+ OpenVPN 2.8.
+
Overview of changes in 2.6
==========================
@@ -69,20 +69,20 @@
$ openvpn --tls-crypt-v2 v2crypt-server.key --genkey tls-crypt-v2-client v2crypt-client-1.key
* Generating *Shared Secret Keys*
- Generate a shared secret, for use with the ``--secret``, ``--tls-auth``
+ Generate a shared secret, for use with the ``--tls-auth``
or ``--tls-crypt`` options.
Syntax:
::
- $ openvpn --genkey secret|tls-crypt|tls-auth keyfile
+ $ openvpn --genkey tls-crypt|tls-auth keyfile
- The key is saved in ``keyfile``. All three variants (``--secret``,
- ``tls-crypt`` and ``tls-auth``) generate the same type of key. The
- aliases are added for convenience.
+ The key is saved in ``keyfile``. Both variants (``tls-crypt`` and
+ ``tls-auth``) generate the same type of key. The aliases are added for
+ convenience.
- If using this for ``--secret``, this file must be shared with the peer
- over a pre-existing secure channel such as ``scp``\(1).
+ This file must be shared with the peer over a pre-existing secure
+ channel such as ``scp``\(1).
* Generating *TLS Crypt v2 Server key*
Generate a ``--tls-crypt-v2`` key to be used by an OpenVPN server.
@@ -3,7 +3,7 @@
OpenVPN allows including files in the main configuration for the ``--ca``,
``--cert``, ``--dh``, ``--extra-certs``, ``--key``, ``--pkcs12``,
-``--secret``, ``--crl-verify``, ``--http-proxy-user-pass``, ``--tls-auth``,
+``--crl-verify``, ``--http-proxy-user-pass``, ``--tls-auth``,
``--auth-gen-token-secret``, ``--peer-fingerprint``, ``--tls-crypt``,
``--tls-crypt-v2`` and ``--verify-hash`` options.
@@ -226,10 +226,7 @@
Ping remote over the TCP/UDP control channel if no packets have been
sent for at least ``n`` seconds (specify ``--ping`` on both peers to
cause ping packets to be sent in both directions since OpenVPN ping
- packets are not echoed like IP ping packets). When used in one of
- OpenVPN's secure modes (where ``--secret``, ``--tls-server`` or
- ``--tls-client`` is specified), the ping packet will be
- cryptographically secure.
+ packets are not echoed like IP ping packets).
This option has two intended uses:
@@ -427,8 +424,7 @@
received by the prior session.
This option only makes sense when replay protection is enabled (the
- default) and you are using either ``--secret`` (shared-secret key mode)
- or TLS mode with ``--tls-auth``.
+ default) and you are using TLS mode with ``--tls-auth``.
--session-timeout n
Raises :code:`SIGTERM` for the client instance after ``n`` seconds since
@@ -73,9 +73,7 @@
configured on the data channel, however, later versions usually
ignored this directive in favour of a negotiated cipher.
Starting with 2.6.0, this option is always ignored in TLS mode
- when it comes to configuring the cipher and will only control the
- cipher for ``--secret`` pre-shared-key mode (note: this mode is
- deprecated and strictly not recommended).
+ when it comes to configuring the cipher.
If you wish to specify the cipher to use on the data channel,
please see ``--data-ciphers`` (for regular negotiation) and
@@ -182,7 +180,7 @@
--key-direction
Alternative way of specifying the optional direction parameter for the
- ``--tls-auth`` and ``--secret`` options. Useful when using inline files
+ ``--tls-auth`` option. Useful when using inline files
(See section on inline files).
--data-ciphers cipher-list
@@ -234,54 +232,10 @@
have been configured with ``--enable-small``
(typically used on routers or other embedded devices).
---secret args
- **DEPRECATED** Enable Static Key encryption mode (non-TLS). Use pre-shared secret
- ``file`` which was generated with ``--genkey``.
- Valid syntaxes:
- ::
-
- secret file
- secret file direction
-
- The optional ``direction`` parameter enables the use of 4 distinct keys
- (HMAC-send, cipher-encrypt, HMAC-receive, cipher-decrypt), so that each
- data flow direction has a different set of HMAC and cipher keys. This
- has a number of desirable security properties including eliminating
- certain kinds of DoS and message replay attacks.
-
- When the ``direction`` parameter is omitted, 2 keys are used
- bidirectionally, one for HMAC and the other for encryption/decryption.
-
- The ``direction`` parameter should always be complementary on either
- side of the connection, i.e. one side should use :code:`0` and the other
- should use :code:`1`, or both sides should omit it altogether.
-
- The ``direction`` parameter requires that ``file`` contains a 2048 bit
- key. While pre-1.5 versions of OpenVPN generate 1024 bit key files, any
- version of OpenVPN which supports the ``direction`` parameter, will also
- support 2048 bit key file generation using the ``--genkey`` option.
-
- Static key encryption mode has certain advantages, the primary being
- ease of configuration.
-
- There are no certificates or certificate authorities or complicated
- negotiation handshakes and protocols. The only requirement is that you
- have a pre-existing secure channel with your peer (such as ``ssh``) to
- initially copy the key. This requirement, along with the fact that your
- key never changes unless you manually generate a new one, makes it
- somewhat less secure than TLS mode (see below). If an attacker manages
- to steal your key, everything that was ever encrypted with it is
- compromised. Contrast that to the perfect forward secrecy features of
- TLS mode (using Diffie Hellman key exchange), where even if an attacker
- was able to steal your private key, he would gain no information to help
- him decrypt past sessions.
-
- Another advantageous aspect of Static Key encryption mode is that it is
- a handshake-free protocol without any distinguishing signature or
- feature (such as a header or protocol handshake sequence) that would
- mark the ciphertext packets as being generated by OpenVPN. Anyone
- eavesdropping on the wire would see nothing but random-looking data.
+--allow-deprecated-insecure-static-crypto
+ **DEPRECATED** This allow using OpenVPN without TLS. This is deprecated
+ and will be removed in OpenVPN 2.8.
--tran-window n
Transition window -- our old key can live this many seconds after a new
@@ -406,7 +406,7 @@
Options that will be compared for compatibility include ``dev-type``,
``link-mtu``, ``tun-mtu``, ``proto``, ``ifconfig``,
``comp-lzo``, ``fragment``, ``keydir``, ``cipher``,
- ``auth``, ``keysize``, ``secret``,
+ ``auth``, ``keysize``,
``tls-auth``, ``key-method``, ``tls-server``
and ``tls-client``.
@@ -295,8 +295,24 @@
Older versions (up to OpenVPN 2.3) supported a freeform passphrase file.
This is no longer supported in newer versions (v2.4+).
- See the ``--secret`` option for more information on the optional
- ``direction`` parameter.
+ The optional ``direction`` parameter enables the use of 2 distinct keys
+ (HMAC-send, HMAC-receive), so that each
+ data flow direction has a different HMAC key. This has a number of desirable
+ security properties including eliminating certain kinds of DoS and message
+ replay attacks.
+
+ When the ``direction`` parameter is omitted, the same key is used
+ bidirectionally.
+
+ The ``direction`` parameter should always be complementary on either
+ side of the connection, i.e. one side should use :code:`0` and the other
+ should use :code:`1`, or both sides should omit it altogether.
+
+ The ``direction`` parameter requires that ``file`` contains a 2048 bit
+ key. While pre-1.5 versions of OpenVPN generate 1024 bit key files, any
+ version of OpenVPN which supports the ``direction`` parameter, will also
+ support 2048 bit key file generation using the ``--genkey`` option.
+
``--tls-auth`` is recommended when you are running OpenVPN in a mode
where it is listening for packets from any IP address, such as when
@@ -531,12 +531,6 @@
"\n"
"Data Channel Encryption Options (must be compatible between peers):\n"
"(These options are meaningful for both Static Key & TLS-mode)\n"
- "--secret f [d] : (DEPRECATED) Enable Static Key encryption mode (non-TLS).\n"
- " Use shared secret file f, generate with --genkey.\n"
- " The optional d parameter controls key directionality.\n"
- " If d is specified, use separate keys for each\n"
- " direction, set d=0 on one side of the connection,\n"
- " and d=1 on the other side.\n"
"--auth alg : Authenticate packets with HMAC using message\n"
" digest algorithm alg (default=%s).\n"
" (usually adds 16 or 20 bytes per packet)\n"
@@ -619,14 +613,12 @@
" control channel to protect against attacks on the TLS stack\n"
" and DoS attacks.\n"
" f (required) is a shared-secret key file.\n"
- " The optional d parameter controls key directionality,\n"
- " see --secret option for more info.\n"
+ " The optional d parameter controls key directionality.\n"
"--tls-crypt key : Add an additional layer of authenticated encryption on top\n"
" of the TLS control channel to hide the TLS certificate,\n"
" provide basic post-quantum security and protect against\n"
" attacks on the TLS stack and DoS attacks.\n"
" key (required) provides the pre-shared key file.\n"
- " see --secret option for more info.\n"
"--tls-crypt-v2 key : For clients: use key as a client-specific tls-crypt key.\n"
" For servers: use key to decrypt client-specific keys. For\n"
" key generation (--genkey tls-crypt-v2-client): use key to\n"
@@ -759,8 +751,8 @@
#endif /* ifdef _WIN32 */
"\n"
"Generate a new key :\n"
- "--genkey secret file : Generate a new random key of type and write to file\n"
- " (for use with --secret, --tls-auth or --tls-crypt)."
+ "--genkey tls-auth file : Generate a new random key of type and write to file\n"
+ " (for use with --tls-auth or --tls-crypt)."
#ifdef ENABLE_FEATURE_TUN_PERSIST
"\n"
"Tun/tap config mode (available with linux 2.4+):\n"
@@ -2823,11 +2815,21 @@
if (!options->tls_server && !options->tls_client)
{
- msg(M_INFO, "DEPRECATION: No tls-client or tls-server option in "
- "configuration detected. OpenVPN 2.7 will remove the "
+ int msglevel = M_USAGE;
+ if (options->allow_deprecated_insecure_static_crypto)
+ {
+ msglevel = M_INFO;
+ }
+
+ msg(msglevel, "DEPRECATION: No tls-client or tls-server option in "
+ "configuration detected. OpenVPN 2.8 will remove the "
"functionality to run a VPN without TLS. "
"See the examples section in the manual page for "
- "examples of a similar quick setup with peer-fingerprint.");
+ "examples of a similar quick setup with peer-fingerprint."
+ "OpenVPN 2.7 allows using this configuration when using "
+ "--allow-deprecated-insecure-static-crypto but you should move"
+ "to a proper configuration using TLS as soon as possible."
+ );
}
if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL))
@@ -8515,6 +8517,12 @@
}
}
}
+ else if (streq(p[0], "allow-deprecated-insecure-static-crypto"))
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->allow_deprecated_insecure_static_crypto = true;
+
+ }
else if (streq(p[0], "genkey") && !p[4])
{
VERIFY_PERMISSION(OPT_P_GENERAL);
@@ -552,6 +552,7 @@
/* Cipher parms */
const char *shared_secret_file;
bool shared_secret_file_inline;
+ bool allow_deprecated_insecure_static_crypto;
int key_direction;
const char *ciphername;
bool enable_ncp_fallback; /**< If defined fall back to
@@ -97,7 +97,7 @@
for cipher in ${CIPHERS}
do
test_start "Testing cipher ${cipher}... "
- ( "${openvpn}" --test-crypto --secret key.$$ --cipher ${cipher} ) >log.$$ 2>&1
+ ( "${openvpn}" --test-crypto --secret key.$$ --allow-deprecated-insecure-static-crypto --cipher ${cipher} ) >log.$$ 2>&1
test_end $? log.$$
done