From patchwork Fri Sep 22 10:38:30 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frank Lichtenheld X-Patchwork-Id: 3357 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7301:2697:b0:d7:3b0f:3938 with SMTP id ha23csp3647494dyb; Fri, 22 Sep 2023 03:39:51 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEH45PTW64h9Z5cFLPkWuQMAZjBcYdR/4ragQ21WLO7/dw09L1a4VGXgPnFAbSfvLrxCGKF X-Received: by 2002:a17:90a:7c01:b0:263:730b:f568 with SMTP id v1-20020a17090a7c0100b00263730bf568mr7394632pjf.3.1695379191082; Fri, 22 Sep 2023 03:39:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695379191; cv=none; d=google.com; s=arc-20160816; b=EeQ2euSIGaH99usOCprekXg+StaHyCejXdbaBgSI99Vy+Zx1ErsDluXUrDw1ucvllR Jp6iK6vsmwfnO0wqLLo1+dZ6TFBZ0Ow6aRA4+cr6aFaZxCGQ6aVzN05r1/sczwrzROHs OgtdGVw+YHPgb838AMLGOlc5SDfxoNSNDRgOHgZiyAHp3oftymeyrsJbl4AZY3RfAOAF PmqMkWrVdJDeF2atX4SYICDnDoedi5sEPLxzkz77XJ7SjR1Wh5j4uOHDTp0zkn9Kgs6Q t9OrCuUUskt589KRjhuTcd46F2PMMZ2WSNYTNuFWMtpVhuFIBmFyfHrTd4/4ly1iQ2K1 gb5Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:cc:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=PFezE8MBRsyqx7bdSVk3X7VWzu3X4XHpfdGWJIYLwx8=; fh=H6mFs2pVe2/avHEN3ZXlblBRMUbfPBnqHVZOzcm8npI=; b=vC0Bu5oZTXqcogiCggKi+a1HvTMqDQTqL0Hsm8XnwfYh27oKeue53RkU7Hjg/xUW4e v1Z/UTy6p6bycMcwovyKBMHO+jKkl6hQl7bUDqtzuC+4sE+dnsmC6sDjq7zUh9iY/oYb i4ZPrVBNxgZYrXE1xL0pQ6E3zS9F9QgSjTkclRFj1UWPWVnNlNzCKGAcHq1VZoR1L5BK f5cHy3F7HNUpATWe1MTkrxIp8aLlY9ZozAgQzpmTheHyg0xX+j9S8OzM3mO6URlWd/Nt om9S4hyWatC2etytS+pyzvEjTRfrrOSdEkfeCLiFeVyuWd7s2jGzGnfZnzELTpYcXCXY hYpw== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=VrpO5qTa; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=SgbTB3LM; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b=a4489GRW; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id kx8-20020a17090b228800b002765c8090b6si5605930pjb.81.2023.09.22.03.39.50 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 22 Sep 2023 03:39:51 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=VrpO5qTa; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=SgbTB3LM; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b=a4489GRW; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1qjdYh-0001to-Jt; Fri, 22 Sep 2023 10:38:53 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1qjdYe-0001tg-FF for openvpn-devel@lists.sourceforge.net; Fri, 22 Sep 2023 10:38:49 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=b1eCJ75utA24xXwvRqaMjRYyezOogjYUdiJz3RNOF6k=; b=VrpO5qTa/fmT4MEMSbn7t6gsc5 cPtFynQ47y7qfJZuveO9Z1sYtAx3TJhkhx7NjfK5mneuzFQsANrbTErW9TFAAd2Jv4SBCAC0RX39p 8l++Xi4DDt3ZtQACY7nmHzpjJNc3xIo6CrYkOua2Mc7DzaGJsMEFEjNCSn2nj4yytcE0=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=b1eCJ75utA24xXwvRqaMjRYyezOogjYUdiJz3RNOF6k=; b=SgbTB3LMWRj2yZNGK9qt33s5AC a6wxCFhd6ML5xPPlkBQMER7cjp4Bgt5xfZQ+03yz7uNtpCOkYhdbgi0ien8mQzahaKWZ9tWcqBFlM X7L3u2qifJ1nmab9aw41LBX1MtOJnwjLQROqo7MVadot7xF1jXnoLe3GZONn6UAm5Xi8=; Received: from mout-p-202.mailbox.org ([80.241.56.172]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1qjdYZ-0006Pl-Ha for openvpn-devel@lists.sourceforge.net; Fri, 22 Sep 2023 10:38:49 +0000 Received: from smtp1.mailbox.org (smtp1.mailbox.org [10.196.197.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-202.mailbox.org (Postfix) with ESMTPS id 4RsTJR68RYz9sTD; Fri, 22 Sep 2023 12:38:31 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lichtenheld.com; s=MBO0001; t=1695379111; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=b1eCJ75utA24xXwvRqaMjRYyezOogjYUdiJz3RNOF6k=; b=a4489GRWJx8sNULwKIrvqmUFrh/kU6cpDCNy/kU/MkapVFOxjDxPSCTe/Pmedk5INXwWqu p5LQdOSFMXapR+EDzQ7vIP+SBvsShxfEJ9xQMj7w2R2uSXYiRNROYlePT6uKITsiJuM+DS JFPx9h8+lJ9Nl9rRv2nc9qzzGS7eSTfZs335J0C3Fwvx8Adt9yztZ/jGzdux2nR0dQhbaf 3BNLudi5fYTf/bvqZEKP12s4xbcUZVto+RgzciV0CCT9Dk2KI7kSoARGvBgFANl/C93uaA 9+BxzBgWhMpi/NLYtSL00QO61bcNZf1oywe9J944rYI5uHof7Ua4vJl8q/uwyg== From: Frank Lichtenheld To: openvpn-devel@lists.sourceforge.net Date: Fri, 22 Sep 2023 12:38:30 +0200 Message-Id: <20230922103830.37151-1-frank@lichtenheld.com> In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: -0.9 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Officially deprecated since v2.4. We have warned about using this forever. It is time to pull the plug. Change-Id: I58706019add6d348483ba222dd74e1466ff6c709 Signed-off-by: Frank Lichtenheld Acked-by: Heiko Hund --- Content analysis details: (-0.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [80.241.56.172 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-Headers-End: 1qjdYZ-0006Pl-Ha Subject: [Openvpn-devel] [PATCH] Remove --no-replay option X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Heiko Hund Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1777733930805196101?= X-GMAIL-MSGID: =?utf-8?q?1777733930805196101?= Officially deprecated since v2.4. We have warned about using this forever. It is time to pull the plug. Change-Id: I58706019add6d348483ba222dd74e1466ff6c709 Signed-off-by: Frank Lichtenheld Acked-by: Heiko Hund --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/281 This mail reflects revision 3 of this Change. Acked-by according to Gerrit (reflected above): Heiko Hund diff --git a/doc/man-sections/link-options.rst b/doc/man-sections/link-options.rst index 14e76b4..675fee4 100644 --- a/doc/man-sections/link-options.rst +++ b/doc/man-sections/link-options.rst @@ -366,8 +366,7 @@ order they were received to the TCP/IP protocol stack, provided they satisfy several constraints. - (a) The packet cannot be a replay (unless ``--no-replay`` is - specified, which disables replay protection altogether). + (a) The packet cannot be a replay. (b) If a packet arrives out of order, it will only be accepted if the difference between its sequence number and the highest sequence diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index 6b9ad21..80dc77d 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -406,7 +406,7 @@ Options that will be compared for compatibility include ``dev-type``, ``link-mtu``, ``tun-mtu``, ``proto``, ``ifconfig``, ``comp-lzo``, ``fragment``, ``keydir``, ``cipher``, - ``auth``, ``keysize``, ``secret``, ``no-replay``, + ``auth``, ``keysize``, ``secret``, ``tls-auth``, ``key-method``, ``tls-server`` and ``tls-client``. diff --git a/doc/man-sections/unsupported-options.rst b/doc/man-sections/unsupported-options.rst index 5c4e3a0..a0c1232 100644 --- a/doc/man-sections/unsupported-options.rst +++ b/doc/man-sections/unsupported-options.rst @@ -30,8 +30,9 @@ VPN tunnel security. This has been a NOOP option since OpenVPN 2.4. --no-replay - Removed in OpenVPN 2.5. This option should not be used as it weakens the - VPN tunnel security. + Removed in OpenVPN 2.7. This option should not be used as it weakens the + VPN tunnel security. Previously we claimed to have removed this in + OpenVPN 2.5, but this wasn't actually the case. --ns-cert-type Removed in OpenVPN 2.5. The ``nsCertType`` field is no longer supported diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index a77b5a1..e4452d7 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -328,7 +328,7 @@ if (!(opt->flags & CO_MUTE_REPLAY_WARNINGS)) { msg(D_REPLAY_ERRORS, "%s: bad packet ID (may be a replay): %s -- " - "see the man page entry for --no-replay and --replay-window for " + "see the man page entry for --replay-window for " "more info or silence this warning with --mute-replay-warnings", error_prefix, packet_id_net_print(pin, true, gc)); } @@ -942,18 +942,6 @@ return true; } -void -check_replay_consistency(const struct key_type *kt, bool packet_id) -{ - ASSERT(kt); - - if (!packet_id && (cipher_kt_mode_ofb_cfb(kt->cipher) - || cipher_kt_mode_aead(kt->cipher))) - { - msg(M_FATAL, "--no-replay cannot be used with a CFB, OFB or AEAD mode cipher"); - } -} - /* * Generate a random key. */ diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h index 88f8f44..c5fd253 100644 --- a/src/openvpn/crypto.h +++ b/src/openvpn/crypto.h @@ -40,7 +40,7 @@ * HMAC at all. * - \b Ciphertext \b IV. The IV size depends on the \c \-\-cipher option. * - \b Packet \b ID, a 32-bit incrementing packet counter that provides replay - * protection (if not disabled by \c \-\-no-replay). + * protection. * - \b Timestamp, a 32-bit timestamp of the current time. * - \b Payload, the plain text network packet to be encrypted (unless * encryption is disabled by using \c \-\-cipher \c none). The payload might @@ -304,8 +304,6 @@ */ int write_key_file(const int nkeys, const char *filename); -void check_replay_consistency(const struct key_type *kt, bool packet_id); - bool check_key(struct key *key, const struct key_type *kt); bool write_key(const struct key *key, const struct key_type *kt, @@ -445,7 +443,7 @@ * this and add it themselves. * * @param kt Struct with the crypto algorithm to use - * @param packet_id_size Size of the packet id, can be 0 if no-replay is used + * @param packet_id_size Size of the packet id * @param occ if true calculates the overhead for crypto in the same * incorrect way as all previous OpenVPN versions did, to * end up with identical numbers for OCC compatibility diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 6fb6900..1fe56a2 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3019,17 +3019,14 @@ } /* Initialize packet ID tracking */ - if (options->replay) - { - packet_id_init(&c->c2.crypto_options.packet_id, - options->replay_window, - options->replay_time, - "STATIC", 0); - c->c2.crypto_options.pid_persist = &c->c1.pid_persist; - c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM; - packet_id_persist_load_obj(&c->c1.pid_persist, - &c->c2.crypto_options.packet_id); - } + packet_id_init(&c->c2.crypto_options.packet_id, + options->replay_window, + options->replay_time, + "STATIC", 0); + c->c2.crypto_options.pid_persist = &c->c1.pid_persist; + c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM; + packet_id_persist_load_obj(&c->c1.pid_persist, + &c->c2.crypto_options.packet_id); if (!key_ctx_bi_defined(&c->c1.ks.static_key)) { @@ -3051,9 +3048,6 @@ /* Get key schedule */ c->c2.crypto_options.key_ctx_bi = c->c1.ks.static_key; - - /* Sanity check on sequence number, and cipher mode options */ - check_replay_consistency(&c->c1.ks.key_type, options->replay); } /* @@ -3256,9 +3250,6 @@ return; } - /* Sanity check on sequence number, and cipher mode options */ - check_replay_consistency(&c->c1.ks.key_type, options->replay); - /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */ packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher); @@ -3279,7 +3270,6 @@ to.ssl_ctx = c->c1.ks.ssl_ctx; to.key_type = c->c1.ks.key_type; to.server = options->tls_server; - to.replay = options->replay; to.replay_window = options->replay_window; to.replay_time = options->replay_time; to.tcp_mode = link_socket_proto_connection_oriented(options->ce.proto); @@ -3645,11 +3635,6 @@ } } - if (!o->replay) - { - msg(M_WARN, "WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME " less secure"); - } - if (o->tls_server) { warn_on_use_of_common_subnets(&c->net_ctx); diff --git a/src/openvpn/mtu.c b/src/openvpn/mtu.c index 132f93c..56db118 100644 --- a/src/openvpn/mtu.c +++ b/src/openvpn/mtu.c @@ -52,13 +52,6 @@ unsigned int calc_packet_id_size_dc(const struct options *options, const struct key_type *kt) { - /* Unless no-replay is enabled, we have a packet id, no matter if - * encryption is used or not */ - if (!options->replay) - { - return 0; - } - bool tlsmode = options->tls_server || options->tls_client; bool packet_id_long_form = !tlsmode || cipher_kt_mode_ofb_cfb(kt->cipher); diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 90d85be..e9d5720 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -549,7 +549,6 @@ #ifndef ENABLE_CRYPTO_MBEDTLS "--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n" #endif - "--no-replay : (DEPRECATED) Disable replay protection.\n" "--mute-replay-warnings : Silence the output of replay warnings to log file.\n" "--replay-window n [t] : Use a replay protection sliding window of size n\n" " and a time window of t seconds.\n" @@ -868,7 +867,6 @@ o->ifconfig_pool_persist_refresh_freq = 600; o->scheduled_exit_interval = 5; o->authname = "SHA1"; - o->replay = true; o->replay_window = DEFAULT_SEQ_BACKTRACK; o->replay_time = DEFAULT_TIME_BACKTRACK; o->key_direction = KEY_DIRECTION_BIDIRECTIONAL; @@ -1954,7 +1952,6 @@ #ifndef ENABLE_CRYPTO_MBEDTLS SHOW_BOOL(engine); #endif /* ENABLE_CRYPTO_MBEDTLS */ - SHOW_BOOL(replay); SHOW_BOOL(mute_replay_warnings); SHOW_INT(replay_window); SHOW_INT(replay_time); @@ -2817,16 +2814,6 @@ } /* - * Check consistency of replay options - */ - if (!options->replay - && (options->replay_window != defaults.replay_window - || options->replay_time != defaults.replay_time)) - { - msg(M_USAGE, "--replay-window doesn't make sense when replay protection is disabled with --no-replay"); - } - - /* * SSL/TLS mode sanity checks. */ if (options->tls_server + options->tls_client @@ -4198,7 +4185,6 @@ * --cipher * --auth * --secret - * --no-replay * * SSL Options: * @@ -4364,10 +4350,6 @@ { buf_printf(&out, ",secret"); } - if (!o->replay) - { - buf_printf(&out, ",no-replay"); - } #ifdef ENABLE_PREDICTION_RESISTANCE if (o->use_prediction_resistance) @@ -8670,7 +8652,9 @@ else if (streq(p[0], "no-replay") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); - options->replay = false; + /* always error out, this breaks the connection */ + msg(M_FATAL, "--no-replay was removed in OpenVPN 2.7. " + "Update your configuration."); } else if (streq(p[0], "replay-window") && !p[3]) { diff --git a/src/openvpn/options.h b/src/openvpn/options.h index f5890b9..5810fd1 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -560,7 +560,6 @@ const char *authname; const char *engine; struct provider_list providers; - bool replay; bool mute_replay_warnings; int replay_window; int replay_time; diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index c975dbc..5e6205c 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1007,12 +1007,9 @@ reliable_set_timeout(ks->send_reliable, session->opt->packet_timeout); /* init packet ID tracker */ - if (session->opt->replay) - { - packet_id_init(&ks->crypto_options.packet_id, - session->opt->replay_window, session->opt->replay_time, "SSL", - ks->key_id); - } + packet_id_init(&ks->crypto_options.packet_id, + session->opt->replay_window, session->opt->replay_time, "SSL", + ks->key_id); ks->crypto_options.pid_persist = NULL; diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index 27b0294..d3edc5f 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -310,7 +310,6 @@ const char *remote_options; /* from command line */ - bool replay; bool single_session; bool disable_occ; int mode; diff --git a/tests/unit_tests/openvpn/test_crypto.c b/tests/unit_tests/openvpn/test_crypto.c index 58eebc0..5564524 100644 --- a/tests/unit_tests/openvpn/test_crypto.c +++ b/tests/unit_tests/openvpn/test_crypto.c @@ -247,7 +247,6 @@ /* common defaults */ o.ce.tun_mtu = 1400; - o.replay = true; o.ce.proto = PROTO_UDP; /* No crypto at all */ @@ -334,15 +333,6 @@ linkmtu = calc_options_string_link_mtu(&o, &f); assert_int_equal(linkmtu, 1405); - /* tls client, auth none, cipher none, no-replay */ - o.replay = false; - - linkmtu = calc_options_string_link_mtu(&o, &f); - assert_int_equal(linkmtu, 1401); - - - o.replay = true; - /* tls client, auth SHA1, cipher AES-256-GCM */ o.authname = "SHA1"; o.ciphername = "AES-256-GCM"; @@ -378,7 +368,6 @@ /* common defaults */ o.ce.tun_mtu = 1400; o.ce.mssfix = 1000; - o.replay = true; o.ce.proto = PROTO_UDP; /* No crypto at all */