Re: [Openvpn-devel] [PATCH] Deprecate --keysize

Tue, 15 Aug 2017 02:18:10 -0700 

2017-08-15 13:32 GMT+05:00 Antonio Quartulli <a...@unstable.cc>:

>
>
> On 15/08/17 16:26, Илья Шипицин wrote:
> > 2017-08-14 15:36 GMT+05:00 David Sommerseth <
> > open...@sf.lists.topphemmelig.net>:
> >
> >> On 01/07/17 13:29, Steffan Karger wrote:
> >>
> >> So I propose:
> >>
> >> - We add the warning about removing --keysize for both v2.4 and v2.5.
> >>
> >> - Add a warning in v2.4 and v2.5 that ciphers with block sizes < 128
> >>   bits will be *removed* in v2.6
> >>
> >> - When removing those ciphers in v2.6, we can remove --keysize together
> >>   with the ciphers, as it will no longer be valid.  But --keysize needs
> >>   to be a NOP for some time (with a warning it has no effect), to avoid
> >>   OpenVPN stopping to run on upgrades.
> >>
> >> - Ensure these changes are synchronised within OpenVPN 3 as well
> >>
> >> - Start a new wiki page: "How-To: Migrate to secure and modern
> >>   OpenVPN configurations" where we list all deprecated features/options
> >>   and their replacement (including examples).  We also need to have a
> >>   description on the reasoning for deprecating and removing these
> >>   options.
> >>
> >
> > there are special cases like Mikrotik openvpn (pretty popular), where
> > user simply use what hardware vendor installed (without possibility to
> > recompile).
> >
> > should we contact such hardware vendors as well ?
>
> there might be an non-predictable number of vendors shipping their own
> openvpn version. We can't contact them all. It's their responsibility to
> stay behind the changes in what they ship.
>
> If they don't, their users will complain aloud with them ;)
>
> On top of that, this does not prevent users from using their own config,
> right? So they can still configure the client to avoid deprecated options.
>

you cannot use regular openvpn config with Mikrotik
https://wiki.mikrotik.com/wiki/OpenVPN

you can use mikrotik configuration options


>
>
> Cheers,
>
> --
> Antonio Quartulli
>
>

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to