Changes between Version 17 and Version 18 of DeprecatedOptions
- Timestamp:
- 03/12/19 20:59:53 (5 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
DeprecatedOptions
v17 v18 7 7 In this wiki page, we will try to keep an up-to-date list of all options we have deprecated, when they will be removed, the new alternative approach and the reasoning behind removing the option. This wiki page summarizes the "Deprecated features" section in the [https://github.com/OpenVPN/openvpn/blob/master/Changes.rst#deprecated-features Changes.rst] file which is distributed with the source code. 8 8 9 [[TOC(notitle, inline, depth=1)]]10 11 == `--key-method` ==9 [[TOC(notitle, inline)]] 10 11 == Option: `--key-method` == 12 12 ||=Status =||Pending removal || 13 13 ||=Deprecated in: =||OpenVPN v2.4 || … … 19 19 OpenVPN have used `--key-method 2` since OpenVPN v2.0 if it was not provided. Using the older `--key-method 1` was primarily present to allow OpenVPN clients running older releases than v2.0 to connect to a v2.0 server. This older key-method is not recommended as the key negotiation method is not as strong as the current default. 20 20 21 == `--tls-remote` ==21 == Option: `--tls-remote` == 22 22 ||=Status =||**Removed in OpenVPN v2.4.0** || 23 23 ||=Deprecated in: =||OpenVPN v2.3 || … … 30 30 || ||`--verify-x509-name Server name-prefix` || 31 31 32 == `--compat-names` ==32 == Option: `--compat-names` == 33 33 ||=Status =||**Removed in OpenVPN v2.5** || 34 34 ||=Deprecated in: =||OpenVPN v2.3 || … … 48 48 This option would in addition add remapping of characters and rendering most characters outside the typical a-z/A-Z/0-9 range to be replaced by an underscore (_) - unless the `no-remapping` flag was added. This behaviour would in many cases be required by older authentication plug-ins or scripts which was not able to process the newer format. As this behaviour is now considered bad, it is expected that authentication plug-ins and scripts will have had enough time to get an update to handle the new X.509 Subject formatting. 49 49 50 == `--no-name-remapping` ==50 == Option: `--no-name-remapping` == 51 51 ||=Status =||**Removed in OpenVPN v2.5** || 52 52 ||=Deprecated in: =||OpenVPN v2.3 || … … 58 58 This is essentially just an alias for `--compat-names no-remapping`. This option would avoid the character remapping of characters being outside the typical a-z/A-Z/0-9 range in the X.509 Subject identifiers. 59 59 60 == `--no-iv` ==60 == Option: `--no-iv` == 61 61 ||=Status =|| Removed in master branch || 62 62 ||=Deprecated in: =||OpenVPN v2.4 || … … 69 69 70 70 71 == `--no-replay` ==71 == Option: `--no-replay` == 72 72 ||=Status =||Pending removal || 73 73 ||=Deprecated in: =||OpenVPN v2.4 || … … 80 80 81 81 82 == Removal of insecure ciphers: Ciphers with cipher block-size less than 128 bits (most commonly `BF`, `DES`, `CAST5`, `IDEA` and `RC2`) ==82 == Policy: Removal of insecure ciphers: Ciphers with cipher block-size less than 128 bits (most commonly `BF`, `DES`, `CAST5`, `IDEA` and `RC2`) == 83 83 ||=Status =||Pending removal || 84 84 ||=Deprecated in: =||OpenVPN v2.4 || … … 90 90 After the discovery of the [https://sweet32.info SWEET32 Birthday attacks on 64-bit block ciphers] any cipher using a cipher block length smaller than 128 bits is considered insecure and prune to be successfully attacked. The cipher block length is '''''not''''' an indication of the cipher ''key'' length. 91 91 92 == = Migrating away from deprecated ciphers ===92 == Policy: Migrating away from deprecated ciphers 93 93 With the OpenVPN v2.4 release a new feature was introduced, Negotiable Crypto Parameters (NCP). This allows users to seamlessly migrate away from deprecated ciphers without much extra work. If both client and server runs OpenVPN v2.4 ''without'' NCP being disabled (`--ncp-disable`), the tunnel will automatically be upgraded to `AES-256-GCM`. If the environment also uses clients older than OpenVPN v2.4, the server can deploy: 94 94 {{{ … … 101 101 '''NOTE:''' For Fedora 27, if the `openvpn-server@.service` unit file is used for ''server configurations'', this migration path have already been enabled. 102 102 103 == `--keysize` ==103 == Option: `--keysize` == 104 104 ||=Status =||Pending removal || 105 105 ||=Deprecated in: =||OpenVPN v2.4 || … … 111 111 The `--keysize` option was only useful to change the key length when using the `BF`, `CAST6` or `RC2` ciphers. For all other ciphers the key-size is fixed with the chosen cipher. As OpenVPN v2.6 will no longer support any of these variable length ciphers, this option will be removed as well to avoid confusion. 112 112 113 == `--comp-lzo` ==113 == Option: `--comp-lzo` == 114 114 ||=Status =||Currently not planned for removal, see description for details || 115 115 ||=Deprecated in: =||OpenVPN v2.4 || … … 125 125 126 126 Contrary to prior statements `--comp-lzo no` is not compatible with the `--compress` counterpart. Therefore openvpn needs to keep supporting `--comp-lzo no` for backward compatibility. 127 == `--ifconfig-pool-linear` == 127 128 == Option: `--ifconfig-pool-linear` == 128 129 ||=Status =||Pending removal || 129 130 ||=Deprecated in: =||OpenVPN v2.1 || … … 135 136 This option will not work with Windows based clients. Since the `--topology p2p` mode is equivalent to `--ifconfig-pool-linear` and works with Windows, this option will be removed. 136 137 137 == `--client-cert-not-required` ==138 == Option: `--client-cert-not-required` == 138 139 ||=Status =||Pending removal || 139 140 ||=Deprecated in: =||OpenVPN v2.4 || … … 147 148 The replacement option allows a far more fine grained control of authentication methods, and can allow a combination of only username/password authentication, only certificate based authentication or a combination. This would not be possible with the old `--client-cert-not-required` option. 148 149 149 == `--ns-cert-type` ==150 == Option: `--ns-cert-type` == 150 151 ||=Status =||Pending removal || 151 152 ||=Deprecated in: =||OpenVPN v2.4 and v2.3.18 || … … 159 160 160 161 161 == `--tun-ipv6` ==162 == Option: `--tun-ipv6` == 162 163 ||=Status =||Removed in OpenVPN 2.4l || 163 164 ||=Deprecated in: =||OpenVPN v2.4 || … … 174 175 175 176 176 == Automatic Up-casing of X509 Certificate fieldnames ==177 == Policy: Automatic Up-casing of X509 Certificate fieldnames == 177 178 ||=Status =||Planned for removal || 178 179 ||=Deprecated in: =||OpenVPN v2.3 || … … 185 186 See --x509-username-field in https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage for a detailed explanation. 186 187 187 == `--max-routes` ==188 == Option: `--max-routes` == 188 189 ||=Status =||Planned for removal || 189 190 ||=Deprecated in: =||OpenVPN v2.4 || … … 194 195 ||=Examples: =|| || 195 196 196 == `--dhcp-release` ==197 == Option: `--dhcp-release` == 197 198 ||=Status =||Enabled by default || 198 199 ||=Deprecated in: =||OpenVPN v2.4 ||