Key method 2 has been the default since OpenVPN 2.0, and is both more
functional and secure.  Also, key method 1 was only ever supported for
peer-to-peer connections (i.e. not for client-server).

Let's get rid of some legacy and phase out key method 1.

v2: add Changes.rst entry, and update man page

Signed-off-by: Steffan Karger <stef...@karger.me>
---
 Changes.rst           | 7 +++++++
 doc/openvpn.8         | 5 ++++-
 src/openvpn/options.c | 6 ++++++
 3 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/Changes.rst b/Changes.rst
index c1b49c7..17d8edb 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -112,6 +112,13 @@ AIX platform support
     devices since AIX does not provide tun interface.
 
 
+Deprecated features
+-------------------
+- ``--key-method 1`` is deprecated in 2.4 and will be removed in 2.5.  Migrate
+  to ``--key-method 2`` as soon as possible.  Note that this requires changing
+  the option in both the client and server side configs.
+
+
 User-visible Changes
 --------------------
 - For certificate DNs with duplicate fields, e.g. "OU=one,OU=two", both fields
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 863dcf9..7227d22 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -4782,7 +4782,10 @@ exchanged over the TLS session.
 
 In method 1 (the default for OpenVPN 1.x), both sides generate
 random encrypt and HMAC-send keys which are forwarded to
-the other host over the TLS channel.
+the other host over the TLS channel. Method 1 is
+.B deprecated in OpenVPN 2.4
+, and
+.B will be removed in OpenVPN 2.5\fR.
 
 In method 2, (the default for OpenVPN 2.0)
 the client generates a random key.  Both client
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 1eb3a41..f39c4fa 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -2245,6 +2245,12 @@ options_postprocess_verify_ce (const struct options 
*options, const struct conne
          "may accept clients which do not present a certificate");
     }
 
+  if (options->key_method == 1)
+    {
+      msg (M_WARN, "WARNING: --key-method 1 is deprecated and will be removed"
+         "in OpenVPN 2.5.  Migrate to --key-method 2 as soon as possible.");
+    }
+
   if (options->tls_server || options->tls_client)
     {
 #ifdef ENABLE_PKCS11
-- 
2.7.4


------------------------------------------------------------------------------
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to