Following the removal of --no-iv, and as suggested by both recent audits (and done by OpenVPN-NL for 7 years now), it's time to get rid of the --no-replay option.
The only valid use case I can imagine is to slightly reduce the per-packet overhead for setups that do not use any authentication mechanism, but I do not believe that warrants keeping an option around that generally reduces security and makes our code more complex. (If this patch is accepted, I'll send a follow-up patch to remove the option from the master branch.) Signed-off-by: Steffan Karger <stef...@karger.me> --- Changes.rst | 8 ++++++++ doc/openvpn.8 | 4 ++++ src/openvpn/options.c | 7 ++++++- 3 files changed, 18 insertions(+), 1 deletion(-) diff --git a/Changes.rst b/Changes.rst index 0b2b04dd..39d83a2d 100644 --- a/Changes.rst +++ b/Changes.rst @@ -306,6 +306,14 @@ Maintainer-visible changes i386/i686 builds on RHEL5. +Version 2.4.4 +============= + +Deprecated features +------------------- +- ``--no-replay`` is deprecated and will be removed in OpenVPN 2.5. + + Version 2.4.3 ============= diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 20bdd91b..3600b8fa 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -4257,6 +4257,10 @@ supported by OpenSSL. .\"********************************************************* .TP .B \-\-no\-replay + +.B DEPRECATED +This option will be removed in OpenVPN 2.5. + (Advanced) Disable OpenVPN's protection against replay attacks. Don't use this option unless you are prepared to make a tradeoff of greater efficiency in exchange for less diff --git a/src/openvpn/options.c b/src/openvpn/options.c index a84878ef..5246cb5a 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -545,7 +545,7 @@ static const char usage_message[] = #ifndef ENABLE_CRYPTO_MBEDTLS "--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n" #endif - "--no-replay : Disable replay protection.\n" + "--no-replay : (DEPRECATED) Disable replay protection.\n" "--mute-replay-warnings : Silence the output of replay warnings to log file.\n" "--replay-window n [t] : Use a replay protection sliding window of size n\n" " and a time window of t seconds.\n" @@ -2484,6 +2484,11 @@ options_postprocess_verify_ce(const struct options *options, const struct connec msg(M_USAGE, "NCP cipher list contains unsupported ciphers."); } + if (!options->replay) + { + msg(M_WARN, "WARNING: --no-replay is DEPRECATED and will be removed in 2.5"); + } + /* * Check consistency of replay options */ -- 2.11.0 ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel