diff options
author | Arne Schwabe | 2019-06-13 15:48:29 +0200 |
---|---|---|
committer | Gert Doering | 2019-07-05 12:32:49 +0200 |
commit | 0d80b562e48a243c36dba9f1f66c3da6e3b3eb98 (patch) | |
tree | 9b62beb562f672478362efccefc9351d372123ef /doc | |
parent | 9f04bf189981517162d82549886f7496497b69a8 (diff) | |
download | openvpn-0d80b562e48a243c36dba9f1f66c3da6e3b3eb98.zip openvpn-0d80b562e48a243c36dba9f1f66c3da6e3b3eb98.tar.gz |
Implement --genkey type keyfile syntax and migrate tls-crypt-v2
This unifies our key generation and also migrates the generation
of the tls-crypt-v2 keys. Since tls-crypt-v2 is not included in any
released version, we remove the the old syntax without compatibility.
PATCH V4: Introduce warning/error when using --secret with --genkey
Update non code usages to use new --genkey syntax
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20190613134834.5709-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18524.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/openvpn.8 | 85 |
1 files changed, 46 insertions, 39 deletions
diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 9e152fb..4185ffe 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -5244,7 +5244,7 @@ Use client\-specific tls\-crypt keys. For clients, .B keyfile is a client\-specific tls\-crypt key. Such a key can be generated using the -.B \-\-tls\-crypt\-v2\-genkey +.B \-\-genkey tls\-crypt\-v2\-client option. For servers, @@ -5252,7 +5252,7 @@ For servers, is used to unwrap client\-specific keys supplied by the client during connection setup. This key must be the same as the key used to generate the client\-specific key (see -.B \-\-tls\-crypt\-v2\-genkey\fR). +.B \-\-genkey tls\-crypt\-v2\-client\fR). On servers, this option can be used together with the .B \-\-tls\-auth @@ -5262,36 +5262,6 @@ option. In that case, the server will detect whether the client is using client\-specific keys, and automatically select the right mode. .\"********************************************************* .TP -.B \-\-tls\-crypt\-v2\-genkey client|server keyfile [metadata] - -If the first parameter equals "server", generate a \-\-tls\-crypt\-v2 server -key and store the key in -.B keyfile\fR. - - -If the first parameter equals "client", generate a \-\-tls\-crypt\-v2 client -key, and store the key in -.B keyfile\fR. - -If supplied, include the supplied -.B metadata -in the wrapped client key. This metadata must be supplied in base64\-encoded -form. The metadata must be at most 735 bytes long (980 bytes in base64). - -If no metadata is supplied, OpenVPN will use a 64\-bit unix timestamp -representing the current time in UTC, encoded in network order, as metadata for -the generated key. - -A tls\-crypt\-v2 client key is wrapped using a server key. To generate a -client key, the user must therefore supply the server key using the -.B \-\-tls\-crypt\-v2 -option. - -Servers can use -.B \-\-tls\-crypt\-v2\-verify -to specify a metadata verification command. -.\"********************************************************* -.TP .B \-\-tls\-crypt\-v2\-verify cmd Run command @@ -5747,20 +5717,27 @@ Show all available elliptic curves to use with the .B \-\-ecdh\-curve option. .\"********************************************************* -.SS Generate a random key: -Used only for non\-TLS static key encryption mode. +.SS Generating key material: .\"********************************************************* .TP -.B \-\-genkey file +.B \-\-genkey keytype keyfile (Standalone) -Generate a random key to be used as a shared secret, for use with the +Generate a key to be used of the type keytype. if keyfile is left out or empty +the key will be output on stdout. See the following sections for the different keytypes. + +.\"********************************************************* +.TP +.B \-\-genkey secret|tls\-crypt|tls\-auth keyfile +Generate a shared secret, for use with the .B \-\-secret , -.B \-\-tls-auth +.B \-\-tls\-auth or -.B \-\-tls-crypt +.B \-\-tls\-crypt options. Stores the key in .B file\fR. +All three variants (secret, tls-crypt, and tls-auth) generate the same type of +key. The aliases are added for convenience. If using this for .B \-\-secret @@ -5768,6 +5745,36 @@ If using this for such as .BR scp (1)\fR. .\"********************************************************* +.TP +.B \-\-genkey tls\-crypt\-v2\-server keyfile + +Generate a \-\-tls\-crypt\-v2 server key and store the key in +.B keyfile\fR. + +.TP +.B \-\-genkey tls\-crypt\-v2\-client keyfile [metadata] + +Generate a \-\-tls\-crypt\-v2 client key, and store the key in +.B keyfile\fR. + +If supplied, include the supplied +.B metadata +in the wrapped client key. This metadata must be supplied in base64\-encoded +form. The metadata must be at most 735 bytes long (980 bytes in base64). + +If no metadata is supplied, OpenVPN will use a 64\-bit unix timestamp +representing the current time in UTC, encoded in network order, as metadata for +the generated key. + +A tls\-crypt\-v2 client key is wrapped using a server key. To generate a +client key, the user must therefore supply the server key using the +.B \-\-tls\-crypt\-v2 +option. + +Servers can use +.B \-\-tls\-crypt\-v2\-verify +to specify a metadata verification command. +.\"********************************************************* .SS TUN/TAP persistent tunnel config mode: Available with Linux 2.4.7+. These options comprise a standalone mode of OpenVPN which can be used to create and delete persistent tunnels. @@ -7191,7 +7198,7 @@ First build a static key on bob. .IP .B openvpn \-\-genkey \-\-secret key .LP -This command will build a random key file called +This command will build a key file called .B key (in ascii format). Now copy |