diff options
author | Steffan Karger | 2016-12-07 20:20:47 +0100 |
---|---|---|
committer | Gert Doering | 2016-12-07 22:06:18 +0100 |
commit | 4969f0d6bba8a82d411f0700c2e8e4efbeccb6c8 (patch) | |
tree | aa0802e34d003e4692995bc719a0a8a1369d5f93 | |
parent | 84f88ca4d57cd0dc40fd945e09ab1cea1b2cd0b7 (diff) | |
download | openvpn-4969f0d6bba8a82d411f0700c2e8e4efbeccb6c8.zip openvpn-4969f0d6bba8a82d411f0700c2e8e4efbeccb6c8.tar.gz |
Deprecate --no-iv
This fixes the bug of supporting --no-iv (since we're only accepting
bugfixes in the current release phase ;) ).
The --no-iv function decreases security if used (CBC *requires*
unpredictable IVs, other modes don't allow --no-iv at all), and even
marginally decreases other user's security by adding unwanted
complexity to our code.
Let's get rid of this.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1481138447-6292-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13430.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
-rw-r--r-- | Changes.rst | 2 | ||||
-rw-r--r-- | doc/openvpn.8 | 4 | ||||
-rw-r--r-- | src/openvpn/options.c | 4 |
3 files changed, 10 insertions, 0 deletions
diff --git a/Changes.rst b/Changes.rst index 9258230..a21c094 100644 --- a/Changes.rst +++ b/Changes.rst @@ -177,6 +177,8 @@ Deprecated features X.509 subject formatting must be updated to the standardized formatting. See the man page for more information. +- ``--no-iv`` is deprecated in 2.4 and will be remove in 2.5. + User-visible Changes -------------------- - For certificate DNs with duplicate fields, e.g. "OU=one,OU=two", both fields diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 290a441..e5619c0 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -4399,6 +4399,10 @@ This option only makes sense when replay protection is enabled .\"********************************************************* .TP .B \-\-no\-iv + +.B DEPRECATED +This option will be removed in OpenVPN 2.5. + (Advanced) Disable OpenVPN's use of IV (cipher initialization vector). Don't use this option unless you are prepared to make a tradeoff of greater efficiency in exchange for less diff --git a/src/openvpn/options.c b/src/openvpn/options.c index db1cfe3..f6e0f13 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2238,6 +2238,10 @@ options_postprocess_verify_ce (const struct options *options, const struct conne { msg (M_USAGE, "--no-iv not allowed when NCP is enabled."); } + if (!options->use_iv) + { + msg (M_WARN, "WARNING: --no-iv is deprecated and will be removed in 2.5"); + } /* * Check consistency of replay options |