Am 25.03.21 um 01:01 schrieb Arne Schwabe: > The non-TLS mode is a relict from OpenVPN 1.x or 2.0. When tls mode was > introduce the advantages of TLS over non-tls were small but tls mode > evolved to include a lot more features. (NCP, multipeer, AEAD ciphers to name > a few). > > Today VPN that use --secret are mainly used because of its relative easy to > setup and requiring to setup a PKI. This shortcoming of TLS mode should be > addressed now with the peer-fingerprint option. > > Signed-off-by: Arne Schwabe <a...@rfc2549.org>
NAK. Arne, I find the reasons you present to withdraw the symmetric non-TLS mode too weak to justify its deprecation or removal. Yes, TLS-based configurations may be more feature-rich, but those are not mandatory and we should not paternalize the users here. Is there a considerable technical debt to keeping the --secret option? WireGuard seems to be becoming quite popular and it provides low-ceremony setups - just as openvpn --secret does. And to make a blunt point, it's not useless just because it's old, else we should nuke DNS and SMTP. Regards, Matthias _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
