On 11/10/17 10:05, Yevgeny Kosarzhevsky wrote: > Hello, > > what is going to replace key-direction in future versions? > Or will use use direction 2 by default without any alternatives? > --key-direction is not on the list of deprecated features [1].
That said, only --tls-auth uses that option, but the --key-direction can also be provided via the --tls-auth as well. The --tls-crypt option will handle the --key-direction automatically and does not depend on that at all. [1] <https://community.openvpn.net/openvpn/wiki/DeprecatedOptions> On the other hand, *--key-method* is deprecated and will be removed. This feature is not providing any advantage at all, and was basically added around the time OpenVPN 2.0 arrived (maybe even older?), to support the very first versions of OpenVPN. Since we do not support any OpenVPN version older than v2.3 (v2.2 and v2.1 may occasionally get some security backports to the git tree, but no official releases are made), this option provides no useful feature - in fact, it can in many aspects weaken the tunnel security by using --key-method 1. The default unless --key-method is provided is 2. And it will stay like that for the foreseeable future. If that needs to be improved later on, we will most likely try to negotiate that automatically and not depend on a configuration option. If you (or anyone else, for that matter) are using --key-method 1 today, get rid of it NOW. Don't wait. You should not use the --key-method option at all. -- kind regards, David Sommerseth OpenVPN, Inc
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users