Following the removal of --no-iv, and as suggested by both recent audits
(and done by OpenVPN-NL for 7 years now), it's time to get rid of the
--no-replay option.
The only valid use case I can imagine is to slightly reduce the per-packet
overhead for setups that do not use any authentication mechanism, but I
do not believe that warrants keeping an option around that generally
reduces security and makes our code more complex.
(If this patch is accepted, I'll send a follow-up patch to remove the
option from the master branch.)
Signed-off-by: Steffan Karger <stef...@karger.me>
---
Changes.rst | 8 ++++++++
doc/openvpn.8 | 4 ++++
src/openvpn/options.c | 7 ++++++-
3 files changed, 18 insertions(+), 1 deletion(-)
diff --git a/Changes.rst b/Changes.rst
index 0b2b04dd..39d83a2d 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -306,6 +306,14 @@ Maintainer-visible changes
i386/i686 builds on RHEL5.
+Version 2.4.4
+=============
+
+Deprecated features
+-------------------
+- ``--no-replay`` is deprecated and will be removed in OpenVPN 2.5.
+
+
Version 2.4.3
=============
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 20bdd91b..3600b8fa 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -4257,6 +4257,10 @@ supported by OpenSSL.
.\"*********************************************************
.TP
.B \-\-no\-replay
+
+.B DEPRECATED
+This option will be removed in OpenVPN 2.5.
+
(Advanced) Disable OpenVPN's protection against replay attacks.
Don't use this option unless you are prepared to make
a tradeoff of greater efficiency in exchange for less
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index a84878ef..5246cb5a 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -545,7 +545,7 @@ static const char usage_message[] =
#ifndef ENABLE_CRYPTO_MBEDTLS
"--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n"
#endif
- "--no-replay : Disable replay protection.\n"
+ "--no-replay : (DEPRECATED) Disable replay protection.\n"
"--mute-replay-warnings : Silence the output of replay warnings to log
file.\n"
"--replay-window n [t] : Use a replay protection sliding window of size
n\n"
" and a time window of t seconds.\n"
@@ -2484,6 +2484,11 @@ options_postprocess_verify_ce(const struct options
*options, const struct connec
msg(M_USAGE, "NCP cipher list contains unsupported ciphers.");
}
+ if (!options->replay)
+ {
+ msg(M_WARN, "WARNING: --no-replay is DEPRECATED and will be removed in
2.5");
+ }
+
/*
* Check consistency of replay options
*/
--
2.11.0
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
