Hi, On 14 November 2016 at 22:35, David Sommerseth <open...@sf.lists.topphemmelig.net> wrote: On 14/11/16 21:06, Steffan Karger wrote: >> Key method 2 has been the default since OpenVPN 2.0, and is both >> more functional and secure. Also, key method 1 was only ever >> supported for peer-to-peer connections (i.e. not for >> client-server). >> >> Let's get rid of some legacy and phase out key method 1. >> >> v2: add Changes.rst entry, and update man page >> >> Signed-off-by: Steffan Karger <stef...@karger.me> --- Changes.rst >> | 7 +++++++ doc/openvpn.8 | 5 ++++- src/openvpn/options.c | >> 6 ++++++ 3 files changed, 17 insertions(+), 1 deletion(-) > > I wanted to give this an ACK ... but I think we should just remove it > all together as we seem to be in a broken state already. > > /usr/sbin/openvpn --dev tun --local 192.168.122.1 --lport 1194 \ > --remote 192.168.122.100 --rport 194 \ > --secret ../../sample/sample-keys/ta.key 0 \ > --ifconfig 10.8.0.10 10.8.0.20 --verb 3 \ > --key-method 1 > Options error: Parameter key_method can only be specified in TLS-mode, > i.e. where --tls-server or --tls-client is also specified. > Use --help for more information. > > That is with /usr/sbin/openvpn --version: > OpenVPN 2.3.11 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] > [PKCS11] [MH] [IPv6] built on May 10 2016 > > So unless I messed up my simple and stupid static key p2p mode tunnel, > this doesn't work at all with v2.3. And git master haven't "fixed" > this issue. > > If nobody noticed this by now, then nobody really uses --key-method.
Well, the options parser is right: --key-method should be used together with --tls-server and --tls-client. Use e.g. the loopback-server and loopback-client configs from sample/sample-configs to test this. -Steffan ------------------------------------------------------------------------------ _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
