A simple clean-up where the version references have been unified
all those places I could find now. The versioning scheme used is:
* OpenVPN 2.x
* v2.x
We want to avoid:
* 2.x (2.4 can be just an ordindary decimal number,
OID reference, a version number or anything else)
* OpenVPN v2.x (OpenVPN indicates we're talking about a version)
In addition, several places where it made sense I tried to ensure
the first version reference uses "OpenVPN 2.x" and the following
references in the same section/paragraph uses "v2.x", to set the
context for the version reference.
In Changes.rst modified paragraphs exceeding 80 chars lines where
reformatted as well.
Signed-off-by: David Sommerseth <dav...@openvpn.net>
---
Changes.rst | 52 ++++++++++++++++++----------------
doc/openvpn.8 | 34 +++++++++++-----------
sample/sample-config-files/client.conf | 2 +-
sample/sample-config-files/server.conf | 4 +--
src/openvpn/options.c | 8 +++---
5 files changed, 51 insertions(+), 49 deletions(-)
diff --git a/Changes.rst b/Changes.rst
index 4358f78b..0999a835 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -161,25 +161,26 @@ Asynchronous push reply
Deprecated features
-------------------
-- ``--key-method 1`` is deprecated in 2.4 and will be removed in 2.5. Migrate
- away from ``--key-method 1`` as soon as possible. The recommended approach
- is to remove the ``--key-method`` option from the configuration files,
OpenVPN
- will then use ``--key-method 2`` by default. Note that this requires
changing
- the option in both the client and server side configs.
+- ``--key-method 1`` is deprecated in OpenVPN 2.4 and will be removed in v2.5.
+ Migrate away from ``--key-method 1`` as soon as possible. The recommended
+ approach is to remove the ``--key-method`` option from the configuration
+ files, OpenVPN will then use ``--key-method 2`` by default. Note that this
+ requires changing the option in both the client and server side configs.
-- ``--tls-remote`` is removed in 2.4, as indicated in the 2.3 man-pages.
Similar
- functionality is provided via ``--verify-x509-name``, which does the same
job in
- a better way.
+- ``--tls-remote`` is removed in OpenVPN 2.4, as indicated in the v2.3
+ man-pages. Similar functionality is provided via ``--verify-x509-name``,
+ which does the same job in a better way.
-- ``--compat-names`` and ``--no-name-remapping`` were deprecated in 2.3 and
will
- be removed in 2.5. All scripts and plug-ins depending on the old
non-standard
- X.509 subject formatting must be updated to the standardized formatting. See
- the man page for more information.
+- ``--compat-names`` and ``--no-name-remapping`` were deprecated in OpenVPN 2.3
+ and will be removed in v2.5. All scripts and plug-ins depending on the old
+ non-standard X.509 subject formatting must be updated to the standardized
+ formatting. See the man page for more information.
-- ``--no-iv`` is deprecated in 2.4 and will be removed in 2.5.
+- ``--no-iv`` is deprecated in OpenVPN 2.4 and will be removed in v2.5.
-- ``--keysize`` is deprecated and will be removed in v2.6 together
- with the support of ciphers with cipher block size less than 128 bits.
+- ``--keysize`` is deprecated in OpenVPN 2.4 and will be removed in v2.6
+ together with the support of ciphers with cipher block size less than
+ 128-bits.
User-visible Changes
@@ -302,7 +303,7 @@ Maintainer-visible changes
files instead of older ones, to provide a unified behaviour across systemd
based Linux distributions.
-- With OpenVPN v2.4, the project has moved over to depend on and actively use
+- With OpenVPN 2.4, the project has moved over to depend on and actively use
the official C99 standard (-std=c99). This may fail on some older
compiler/libc
header combinations. In most of these situations it is recommended to
use -std=gnu99 in CFLAGS. This is known to be needed when doing
@@ -324,7 +325,7 @@ New features
Security
--------
- CVE-2017-7522: Fix ``--x509-track`` post-authentication remote DoS
- A client could crash a 2.4+ mbedtls server, if that server uses the
+ A client could crash a v2.4+ mbedtls server, if that server uses the
``--x509-track`` option and the client has a correct, signed and unrevoked
certificate that contains an embedded NUL in the certificate subject.
Discovered and reported to the OpenVPN security team by Guido Vranken.
@@ -381,7 +382,7 @@ User-visible Changes
Bugfixes
--------
- Fix fingerprint calculation in mbed TLS builds. This means that mbed TLS
users
- of OpenVPN 2.4.0, 2.4.1 and 2.4.2 that rely on the values of the
+ of OpenVPN 2.4.0, v2.4.1 and v2.4.2 that rely on the values of the
``tls_digest_*`` env vars, or that use ``--verify-hash`` will have to change
the fingerprint values they check against. The security impact of the
incorrect calculation is very minimal; the last few bytes (max 4, typically
@@ -410,17 +411,18 @@ Version 2.4.2
Bugfixes
--------
-- Fix memory leak introduced in 2.4.1: if ``--remote-cert-tls`` is used, we
leaked
- some memory on each TLS (re)negotiation.
+- Fix memory leak introduced in OpenVPN 2.4.1: if ``--remote-cert-tls`` is
+ used, we leaked some memory on each TLS (re)negotiation.
Security
--------
-- Fix a pre-authentication denial-of-service attack on both clients and
servers.
- By sending a too-large control packet, OpenVPN 2.4.0 or 2.4.1 can be forced
- to hit an ASSERT() and stop the process. If ``--tls-auth`` or
``--tls-crypt``
- is used, only attackers that have the ``--tls-auth`` or ``--tls-crypt`` key
- can mount an attack. (OSTIF/Quarkslab audit finding 5.1, CVE-2017-7478)
+- Fix a pre-authentication denial-of-service attack on both clients and
+ servers. By sending a too-large control packet, OpenVPN 2.4.0 or v2.4.1 can
+ be forced to hit an ASSERT() and stop the process. If ``--tls-auth`` or
+ ``--tls-crypt`` is used, only attackers that have the ``--tls-auth`` or
+ ``--tls-crypt`` key can mount an attack.
+ (OSTIF/Quarkslab audit finding 5.1, CVE-2017-7478)
- Fix an authenticated remote DoS vulnerability that could be triggered by
causing a packet id roll over. An attack is rather inefficient; a peer
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 056ae145..2d22fb57 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -1994,7 +1994,7 @@ could be either
.B execve
or
.B system.
-As of OpenVPN v2.3, this flag is no longer accepted. In most *nix
environments the execve()
+As of OpenVPN 2.3, this flag is no longer accepted. In most *nix environments
the execve()
approach has been used without any issues.
Some directives such as \-\-up allow options to be passed to the external
@@ -2006,7 +2006,7 @@ To run scripts in Windows in earlier OpenVPN
versions you needed to either add a full path to the script interpreter which
can parse the
script or use the
.B system
-flag to run these scripts. As of OpenVPN v2.3 it is now a strict requirement
to have
+flag to run these scripts. As of OpenVPN 2.3 it is now a strict requirement
to have
full path to the script interpreter when running non-executables files.
This is not needed for executable files, such as .exe, .com, .bat or .cmd
files. For
example, if you have a Visual Basic script, you must use this syntax now:
@@ -2201,7 +2201,7 @@ passwords, or key pass phrases anymore. This has certain
consequences,
namely that using a password-protected private key will fail unless the
.B \-\-askpass
option is used to tell OpenVPN to ask for the pass phrase (this
-requirement is new in 2.3.7, and is a consequence of calling daemon()
+requirement is new in v2.3.7, and is a consequence of calling daemon()
before initializing the crypto layer).
Further, using
@@ -2474,7 +2474,7 @@ The
parameter may be "lzo", "lz4", or empty. LZO and LZ4
are different compression algorithms, with LZ4 generally
offering the best performance with least CPU usage.
-For backwards compatibility with OpenVPN versions before 2.4, use "lzo"
+For backwards compatibility with OpenVPN versions before v2.4, use "lzo"
(which is identical to the older option "\-\-comp\-lzo yes").
If the
@@ -3678,7 +3678,7 @@ is less secure than requiring certificates from all
clients.
.B Please note:
-This option is now deprecated and will be removed in OpenVPN v2.5.
+This option is now deprecated and will be removed in OpenVPN 2.5.
It is replaced by
.B \-\-verify\-client\-cert
which allows for more flexibility. The option
@@ -3745,7 +3745,7 @@ rather than the common name from the client cert.
.\"*********************************************************
.TP
.B \-\-compat\-names [no\-remapping] (DEPRECATED)
-Until OpenVPN v2.3 the format of the X.509 Subject fields was formatted
+Until OpenVPN 2.3 the format of the X.509 Subject fields was formatted
like this:
.IP
.B
@@ -3763,13 +3763,13 @@ option, this old formatting and remapping will be
re-enabled again. This is
purely implemented for compatibility reasons when using older plug-ins or
scripts which does not handle the new formatting or UTF-8 characters.
.IP
-In OpenVPN v2.3 the formatting of these fields changed into a more
+In OpenVPN 2.3 the formatting of these fields changed into a more
standardised format. It now looks like:
.IP
.B
C=US, L=Somewhere, CN=John Doe, emailAddress=j...@example.com
.IP
-The new default format in OpenVPN v2.3 also does not do the character remapping
+The new default format in OpenVPN 2.3 also does not do the character remapping
which happened earlier. This new format enables proper support for UTF\-8
characters in the usernames, X.509 Subject fields and Common Name variables and
it complies to the RFC 2253, UTF\-8 String Representation of Distinguished
@@ -3789,7 +3789,7 @@ carriage-return. no-remapping is only available on the
server side.
.B Please note:
This option is immediately deprecated. It is only implemented
to make the transition to the new formatting less intrusive. It will be
-removed in OpenVPN v2.5. So please update your scripts/plug-ins where
necessary.
+removed in OpenVPN 2.5. So please update your scripts/plug-ins where
necessary.
.\"*********************************************************
.TP
.B \-\-no\-name\-remapping (DEPRECATED)
@@ -3802,7 +3802,7 @@ It ensures compatibility with server configurations using
the
option.
.B Please note:
-This option is now deprecated. It will be removed in OpenVPN v2.5.
+This option is now deprecated. It will be removed in OpenVPN 2.5.
So please make sure you support the new X.509 name formatting
described with the
.B \-\-compat\-names
@@ -4204,8 +4204,8 @@ will inherit the cipher of the peer if that cipher is
different from the local
.B \-\-cipher
setting, but the peer cipher is one of the ciphers specified in
.B \-\-ncp\-ciphers\fR.
-E.g. a non-NCP client (<=2.3, or with \-\-ncp\-disabled set) connecting to a
-NCP server (2.4+) with "\-\-cipher BF-CBC" and "\-\-ncp-ciphers
+E.g. a non-NCP client (<=v2.3, or with \-\-ncp\-disabled set) connecting to a
+NCP server (v2.4+) with "\-\-cipher BF-CBC" and "\-\-ncp-ciphers
AES-256-GCM:AES-256-CBC" set can either specify "\-\-cipher BF-CBC" or
"\-\-cipher AES-256-CBC" and both will work.
@@ -5010,8 +5010,8 @@ response.
(required) is a file in OpenVPN static key format which can be generated by
.B \-\-genkey
-Older versions (up to 2.3) supported a freeform passphrase file.
-This is no longer supported in newer versions (2.4+).
+Older versions (up to OpenVPN 2.3) supported a freeform passphrase file.
+This is no longer supported in newer versions (v2.4+).
See the
.B \-\-secret
@@ -5568,7 +5568,7 @@ Write key to
.B file.
.\"*********************************************************
.SS TUN/TAP persistent tunnel config mode:
-Available with linux 2.4.7+. These options comprise a standalone mode
+Available with Linux 2.4.7+. These options comprise a standalone mode
of OpenVPN which can be used to create and delete persistent tunnels.
.\"*********************************************************
.TP
@@ -5895,7 +5895,7 @@ flag.
.TP
.B \-\-dhcp\-release
Ask Windows to release the TAP adapter lease on shutdown.
-This option has no effect now, as it is enabled by default starting with
version 2.4.1.
+This option has no effect now, as it is enabled by default starting with
OpenVPN 2.4.1.
.\"*********************************************************
.TP
.B \-\-register\-dns
@@ -6178,7 +6178,7 @@ isprint() function to return true.
.B \-\-client\-config\-dir filename as derived from common name or username:
Alphanumeric, underbar ('_'), dash ('-'), and dot ('.') except for "." or
-".." as standalone strings. As of 2.0.1-rc6, the at ('@') character has
+".." as standalone strings. As of v2.0.1-rc6, the at ('@') character has
been added as well for compatibility with the common name character class.
.B Environmental variable names:
diff --git a/sample/sample-config-files/client.conf
b/sample/sample-config-files/client.conf
index f5c69e34..5fd4a948 100644
--- a/sample/sample-config-files/client.conf
+++ b/sample/sample-config-files/client.conf
@@ -110,7 +110,7 @@ tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
-# Note that 2.4 client/server will automatically
+# Note that v2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
cipher AES-256-CBC
diff --git a/sample/sample-config-files/server.conf
b/sample/sample-config-files/server.conf
index aa7d5b39..1dd477bd 100644
--- a/sample/sample-config-files/server.conf
+++ b/sample/sample-config-files/server.conf
@@ -246,13 +246,13 @@ tls-auth ta.key 0 # This file is secret
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
-# Note that 2.4 client/server will automatically
+# Note that v2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
cipher AES-256-CBC
# Enable compression on the VPN link and push the
-# option to the client (2.4+ only, for earlier
+# option to the client (v2.4+ only, for earlier
# versions see below)
;compress lz4-v2
;push "compress lz4-v2"
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index ef7009c1..5346fcdc 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -6186,7 +6186,7 @@ add_option(struct options *options,
else if (streq(p[0], "max-routes") && !p[2])
{
msg(M_WARN, "DEPRECATED OPTION: --max-routes option ignored."
- "The number of routes is unlimited as of version 2.4. "
+ "The number of routes is unlimited as of OpenVPN 2.4. "
"This option will be removed in a future version, "
"please remove it from your configuration.");
}
@@ -7016,7 +7016,7 @@ add_option(struct options *options,
VERIFY_PERMISSION(OPT_P_GENERAL);
if (streq(p[1], "env"))
{
- msg(M_INFO, "NOTE: --win-sys env is default from OpenVPN v2.3.
"
+ msg(M_INFO, "NOTE: --win-sys env is default from OpenVPN 2.3.
"
"This entry will now be ignored. "
"Please remove this entry from your configuration file.");
}
@@ -7862,7 +7862,7 @@ add_option(struct options *options,
msg(msglevel, "you cannot use --compat-names with
--verify-x509-name");
goto err;
}
- msg(M_WARN, "DEPRECATED OPTION: --compat-names, please update your
configuration. This will be removed in OpenVPN v2.5.");
+ msg(M_WARN, "DEPRECATED OPTION: --compat-names, please update your
configuration. This will be removed in OpenVPN 2.5.");
compat_flag(COMPAT_FLAG_SET | COMPAT_NAMES);
#if P2MP_SERVER
if (p[1] && streq(p[1], "no-remapping"))
@@ -7878,7 +7878,7 @@ add_option(struct options *options,
msg(msglevel, "you cannot use --no-name-remapping with
--verify-x509-name");
goto err;
}
- msg(M_WARN, "DEPRECATED OPTION: --no-name-remapping, please update
your configuration. This will be removed in OpenVPN v2.5.");
+ msg(M_WARN, "DEPRECATED OPTION: --no-name-remapping, please update
your configuration. This will be removed in OpenVPN 2.5.");
compat_flag(COMPAT_FLAG_SET | COMPAT_NAMES);
compat_flag(COMPAT_FLAG_SET | COMPAT_NO_NAME_REMAPPING);
#endif
--
2.11.0
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
