Am 25.03.21 um 20:57 schrieb Antonio Quartulli: > Hi, > > On 25/03/2021 20:29, Matthias Andree wrote: >> I find the reasons you present to withdraw the symmetric non-TLS mode >> too weak to justify its deprecation or removal. Yes, TLS-based >> configurations may be more feature-rich, but those are not mandatory and >> we should not paternalize the users here. Is there a considerable >> technical debt to keeping the --secret option? WireGuard seems to be >> becoming quite popular and it provides low-ceremony setups - just as >> openvpn --secret does. >> > The new --peer-fingerprint option offers a similar "quick setup" feature > that old users of --secret may want to switch to. > >> And to make a blunt point, it's not useless just because it's old, else >> we should nuke DNS and SMTP. > It's not about being old. It's about being insecure. > > With --secret (i.e. PSK encryption) there is no key renegotiation/rotation. > This means IVs will be eventually re-used, which translates to > encryption losing part of its strength. > > This is unacceptable and users should be prevented from hitting this > situation.
OK, I withdraw my NAK. _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel