Key method 2 has been the default since OpenVPN 2.0, and is both more functional and secure. Also, key method 1 was only ever supported for peer-to-peer connections (i.e. not for client-server).
Let's get rid of some legacy and phase out key method 1. v2: add Changes.rst entry, and update man page Signed-off-by: Steffan Karger <stef...@karger.me> --- Changes.rst | 7 +++++++ doc/openvpn.8 | 5 ++++- src/openvpn/options.c | 6 ++++++ 3 files changed, 17 insertions(+), 1 deletion(-) diff --git a/Changes.rst b/Changes.rst index c1b49c7..17d8edb 100644 --- a/Changes.rst +++ b/Changes.rst @@ -112,6 +112,13 @@ AIX platform support devices since AIX does not provide tun interface. +Deprecated features +------------------- +- ``--key-method 1`` is deprecated in 2.4 and will be removed in 2.5. Migrate + to ``--key-method 2`` as soon as possible. Note that this requires changing + the option in both the client and server side configs. + + User-visible Changes -------------------- - For certificate DNs with duplicate fields, e.g. "OU=one,OU=two", both fields diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 863dcf9..7227d22 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -4782,7 +4782,10 @@ exchanged over the TLS session. In method 1 (the default for OpenVPN 1.x), both sides generate random encrypt and HMAC-send keys which are forwarded to -the other host over the TLS channel. +the other host over the TLS channel. Method 1 is +.B deprecated in OpenVPN 2.4 +, and +.B will be removed in OpenVPN 2.5\fR. In method 2, (the default for OpenVPN 2.0) the client generates a random key. Both client diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 1eb3a41..f39c4fa 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2245,6 +2245,12 @@ options_postprocess_verify_ce (const struct options *options, const struct conne "may accept clients which do not present a certificate"); } + if (options->key_method == 1) + { + msg (M_WARN, "WARNING: --key-method 1 is deprecated and will be removed" + "in OpenVPN 2.5. Migrate to --key-method 2 as soon as possible."); + } + if (options->tls_server || options->tls_client) { #ifdef ENABLE_PKCS11 -- 2.7.4 ------------------------------------------------------------------------------ _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel