@@ -39,7 +39,6 @@
http-proxy 192.168.0.8 8080
</connection>
- persist-key
persist-tun
pkcs12 client.p12
remote-cert-tls server
@@ -302,17 +302,6 @@
Change process priority after initialization (``n`` greater than 0 is
lower priority, ``n`` less than zero is higher priority).
---persist-key
- Don't re-read key files across :code:`SIGUSR1` or ``--ping-restart``.
-
- This option can be combined with ``--user`` to allow restarts
- triggered by the :code:`SIGUSR1` signal. Normally if you drop root
- privileges in OpenVPN, the daemon cannot be restarted since it will now
- be unable to re-read protected key files.
-
- This option solves the problem by persisting keys across :code:`SIGUSR1`
- resets, so they don't need to be re-read.
-
--providers providers
Load the list of (OpenSSL) providers. This is mainly useful for using an
external provider for key management like tpm2-openssl or to load the
@@ -402,7 +391,7 @@
Like with chroot, complications can result when scripts or restarts are
executed after the setcon operation, which is why you should really
- consider using the ``--persist-key`` and ``--persist-tun`` options.
+ consider using the ``--persist-tun`` option.
--status args
Write operational status to ``file`` every ``n`` seconds. ``n`` defaults
@@ -283,7 +283,7 @@
See the signals section below for more information on :code:`SIGUSR1`.
Note that the behavior of ``SIGUSR1`` can be modified by the
- ``--persist-tun``, ``--persist-key``, ``--persist-local-ip`` and
+ ``--persist-tun``, ``--persist-local-ip`` and
``--persist-remote-ip`` options.
Also note that ``--ping-exit`` and ``--ping-restart`` are mutually
@@ -452,7 +452,7 @@
``--route``, ``--route-gateway``, ``--route-delay``,
``--redirect-gateway``, ``--ip-win32``, ``--dhcp-option``, ``--dns``,
``--inactive``, ``--ping``, ``--ping-exit``, ``--ping-restart``,
- ``--setenv``, ``--auth-token``, ``--persist-key``, ``--persist-tun``,
+ ``--setenv``, ``--auth-token``, ``--persist-tun``,
``--echo``, ``--comp-lzo``, ``--socket-flags``, ``--sndbuf``,
``--rcvbuf``, ``--session-timeout``
@@ -10,9 +10,8 @@
Like :code:`SIGHUP``, except don't re-read configuration file, and
possibly don't close and reopen TUN/TAP device, re-read key files,
preserve local IP address/port, or preserve most recently authenticated
- remote IP address/port based on ``--persist-tun``, ``--persist-key``,
- ``--persist-local-ip`` and ``--persist-remote-ip`` options respectively
- (see above).
+ remote IP address/port based on ``--persist-tun``, ``--persist-local-ip``
+ and ``--persist-remote-ip`` options respectively (see above).
This signal may also be internally generated by a timeout condition,
governed by the ``--ping-restart`` option.
@@ -42,3 +42,6 @@
--prng
Removed in OpenVPN 2.6. We now always use the PRNG of the SSL library.
+
+--persist-key
+ Removed in OpenVPN 2.7. Corresponding behavior is now always enabled.
\ No newline at end of file
@@ -62,7 +62,6 @@
;group openvpn
# Try to preserve some state across restarts.
-persist-key
persist-tun
# If you are connecting through an
@@ -278,7 +278,6 @@
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
-persist-key
persist-tun
# Output a short status file showing
@@ -73,7 +73,6 @@
; ping-restart 45
; ping-timer-rem
; persist-tun
-; persist-key
# Verbosity level.
# 0 -- quiet except for fatal errors.
@@ -76,7 +76,6 @@
; ping-restart 45
; ping-timer-rem
; persist-tun
-; persist-key
# Verbosity level.
# 0 -- quiet except for fatal errors.
@@ -89,7 +89,6 @@
; ping-restart 60
; ping-timer-rem
; persist-tun
-; persist-key
; resolv-retry 86400
# keep-alive ping
@@ -3559,14 +3559,6 @@
{
msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
}
- if (!o->persist_key
-#ifdef ENABLE_PKCS11
- && !o->pkcs11_id
-#endif
- )
- {
- msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail");
- }
}
if (o->chroot_dir && !(o->username && o->groupname))
@@ -3635,6 +3627,7 @@
}
}
+
struct context_buffers *
init_context_buffers(const struct frame *frame)
{
@@ -3857,7 +3850,7 @@
do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
{
/*
- * always free the tls_auth/crypt key. If persist_key is true, the key will
+ * always free the tls_auth/crypt key. The key will
* be reloaded from memory (pre-cached)
*/
free_key_ctx(&c->c1.ks.tls_crypt_v2_server_key);
@@ -3866,7 +3859,7 @@
buf_clear(&c->c1.ks.tls_crypt_v2_wkc);
free_buf(&c->c1.ks.tls_crypt_v2_wkc);
- if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key))
+ if (!(c->sig->signal_received == SIGUSR1))
{
key_schedule_free(&c->c1.ks, free_ssl_ctx);
}
@@ -48,7 +48,7 @@
/*
* Our global key schedules, packaged thusly
- * to facilitate --persist-key.
+ * to facilitate key persistence.
*/
struct key_schedule
@@ -273,7 +273,6 @@
"--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n"
"--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n"
"--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart.\n"
- "--persist-key : Don't re-read key files across SIGUSR1 or --ping-restart.\n"
#if PASSTOS_CAPABILITY
"--passtos : TOS passthrough (applies to IPv4 only).\n"
#endif
@@ -1857,7 +1856,6 @@
SHOW_BOOL(persist_tun);
SHOW_BOOL(persist_local_ip);
SHOW_BOOL(persist_remote_ip);
- SHOW_BOOL(persist_key);
#if PASSTOS_CAPABILITY
SHOW_BOOL(passtos);
@@ -3240,18 +3238,16 @@
ce->tls_crypt_v2_file_inline = o->tls_crypt_v2_file_inline;
}
- /* Pre-cache tls-auth/crypt(-v2) key file if persist-key was specified and
+ /* Pre-cache tls-auth/crypt(-v2) key file if
* keys were not already embedded in the config file.
*/
- if (o->persist_key)
- {
- connection_entry_preload_key(&ce->tls_auth_file,
- &ce->tls_auth_file_inline, &o->gc);
- connection_entry_preload_key(&ce->tls_crypt_file,
- &ce->tls_crypt_file_inline, &o->gc);
- connection_entry_preload_key(&ce->tls_crypt_v2_file,
- &ce->tls_crypt_v2_file_inline, &o->gc);
- }
+ connection_entry_preload_key(&ce->tls_auth_file,
+ &ce->tls_auth_file_inline, &o->gc);
+ connection_entry_preload_key(&ce->tls_crypt_file,
+ &ce->tls_crypt_file_inline, &o->gc);
+ connection_entry_preload_key(&ce->tls_crypt_v2_file,
+ &ce->tls_crypt_v2_file_inline, &o->gc);
+
if (!proto_is_udp(ce->proto) && ce->explicit_exit_notification)
{
@@ -6963,7 +6959,10 @@
else if (streq(p[0], "persist-key") && !p[1])
{
VERIFY_PERMISSION(OPT_P_PERSIST);
- options->persist_key = true;
+ msg(M_WARN, "DEPRECATED: --persist-key option ignored."
+ "The corresponding behavior is now always enabled."
+ "This option will be removed in a future version, "
+ "please remove it from your configuration.");
}
else if (streq(p[0], "persist-local-ip") && !p[1])
{
@@ -344,7 +344,6 @@
bool persist_tun; /* Don't close/reopen TUN/TAP dev on SIGUSR1 or PING_RESTART */
bool persist_local_ip; /* Don't re-resolve local address on SIGUSR1 or PING_RESTART */
bool persist_remote_ip; /* Don't re-resolve remote address on SIGUSR1 or PING_RESTART */
- bool persist_key; /* Don't re-read key files on SIGUSR1 or PING_RESTART */
#if PASSTOS_CAPABILITY
bool passtos;
Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/529?usp=email to review the following change. Change subject: Persist-key: enable persist-key option by default ...................................................................... Persist-key: enable persist-key option by default This commit changes the default behavior of the OpenVPN configuration to enable the persist-key option by default. This means that all the key file content will be kept in memory throughout the lifetime of the VPN connection. Fixes: Trac #1405 Change-Id: I57f1c2ed42bd9dfd43577238749a9b7f4c1419ff Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com> --- M doc/man-sections/connection-profiles.rst M doc/man-sections/generic-options.rst M doc/man-sections/link-options.rst M doc/man-sections/server-options.rst M doc/man-sections/signals.rst M doc/man-sections/unsupported-options.rst M sample/sample-config-files/client.conf M sample/sample-config-files/server.conf M sample/sample-config-files/tls-home.conf M sample/sample-config-files/tls-office.conf M sample/sample-windows/sample.ovpn M src/openvpn/init.c M src/openvpn/openvpn.h M src/openvpn/options.c M src/openvpn/options.h 15 files changed, 24 insertions(+), 48 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/29/529/1