[Openvpn-devel,XS] Change in openvpn[master]: Deprecate tls-exit option

Message ID a1bf80443338441974ace210af06709901293179-HTML@gerrit.openvpn.net
State Superseded
Headers show
Series [Openvpn-devel,XS] Change in openvpn[master]: Deprecate tls-exit option | expand

Commit Message

flichtenheld (Code Review) Nov. 20, 2023, 11:17 a.m. UTC
Attention is currently required from: flichtenheld.

Hello flichtenheld,

I'd like you to do a code review.
Please visit


to review the following change.

Change subject: Deprecate tls-exit option

Deprecate tls-exit option

This option is questionable and I cannot see any reason to actually use it.

Change-Id: I93afff2372c4150d6bddc8c07fd4ebc8bfb0cc3e
M Changes.rst
M doc/man-sections/tls-options.rst
M src/openvpn/options.c
3 files changed, 7 insertions(+), 2 deletions(-)

  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/47/447/1


diff --git a/Changes.rst b/Changes.rst
index 3676dce..922f78d 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -10,6 +10,10 @@ 
     ``--allow-deprecated-insecure-static-crypto`` but will be removed in
     OpenVPN 2.8.
+```tls-exit``` has been deprecated since it is unclear what the use case
+    for this option is. If you have a valid use case, please reach out since
+    the will otherwise be removed in the future.
 Overview of changes in 2.6
diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst
index 908a42a..da5f362 100644
--- a/doc/man-sections/tls-options.rst
+++ b/doc/man-sections/tls-options.rst
@@ -553,7 +553,7 @@ 
-  Exit on TLS negotiation failure.
+  **DEPRECATED** Exit on TLS negotiation failure.
 --tls-export-cert directory
   Store the certificates the clients use upon connection to this
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 2594b66..5eb1a45 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -608,7 +608,7 @@ 
     "--tran-window n : Transition window -- old key can live this many seconds\n"
     "                  after new key renegotiation begins (default=%d).\n"
     "--single-session: Allow only one session (reset state on restart).\n"
-    "--tls-exit      : Exit on TLS negotiation failure.\n"
+    "--tls-exit      : (DEPRECATED) Exit on TLS negotiation failure.\n"
     "--tls-auth f [d]: Add an additional layer of authentication on top of the TLS\n"
     "                  control channel to protect against attacks on the TLS stack\n"
     "                  and DoS attacks.\n"
@@ -8960,6 +8960,7 @@ 
     else if (streq(p[0], "tls-exit") && !p[1])
+        msg(M_WARN, "DEPRECATED OPTION: The option --tls-exit is deprecated.");
         options->tls_exit = true;