Changes between Version 17 and Version 18 of DeprecatedOptions


Ignore:
Timestamp:
03/12/19 20:59:53 (5 years ago)
Author:
tct
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • DeprecatedOptions

    v17 v18  
    77In this wiki page, we will try to keep an up-to-date list of all options we have deprecated, when they will be removed, the new alternative approach and the reasoning behind removing the option.  This wiki page summarizes the "Deprecated features" section in the [https://github.com/OpenVPN/openvpn/blob/master/Changes.rst#deprecated-features Changes.rst] file which is distributed with the source code.
    88
    9 [[TOC(notitle,inline, depth=1)]]
    10 
    11 == `--key-method` ==
     9[[TOC(notitle, inline)]]
     10
     11== Option: `--key-method` ==
    1212||=Status =||Pending removal ||
    1313||=Deprecated in: =||OpenVPN v2.4 ||
     
    1919OpenVPN have used `--key-method 2` since OpenVPN v2.0 if it was not provided.  Using the older `--key-method 1` was primarily present to allow OpenVPN clients running older releases than v2.0 to connect to a v2.0 server.  This older key-method is not recommended as the key negotiation method is not as strong as the current default.
    2020
    21 == `--tls-remote` ==
     21== Option: `--tls-remote` ==
    2222||=Status =||**Removed in OpenVPN v2.4.0** ||
    2323||=Deprecated in: =||OpenVPN v2.3 ||
     
    3030|| ||`--verify-x509-name Server name-prefix` ||
    3131
    32 == `--compat-names` ==
     32== Option: `--compat-names` ==
    3333||=Status =||**Removed in OpenVPN v2.5** ||
    3434||=Deprecated in: =||OpenVPN v2.3 ||
     
    4848This option would in addition add remapping of characters and rendering most characters outside the typical a-z/A-Z/0-9 range to be replaced by an underscore (_) - unless the `no-remapping` flag was added.  This behaviour would in many cases be required by older authentication plug-ins or scripts which was not able to process the newer format.  As this behaviour is now considered bad, it is expected that authentication plug-ins and scripts will have had enough time to get an update to handle the new X.509 Subject formatting.
    4949
    50 == `--no-name-remapping` ==
     50== Option: `--no-name-remapping` ==
    5151||=Status =||**Removed in OpenVPN v2.5** ||
    5252||=Deprecated in: =||OpenVPN v2.3 ||
     
    5858This is essentially just an alias for `--compat-names no-remapping`.  This option would avoid the character remapping of characters being outside the typical a-z/A-Z/0-9 range in the X.509 Subject identifiers.
    5959
    60 == `--no-iv` ==
     60== Option: `--no-iv` ==
    6161||=Status =|| Removed in master branch ||
    6262||=Deprecated in: =||OpenVPN v2.4 ||
     
    6969
    7070
    71 == `--no-replay` ==
     71== Option: `--no-replay` ==
    7272||=Status =||Pending removal ||
    7373||=Deprecated in: =||OpenVPN v2.4 ||
     
    8080
    8181
    82 == Removal of insecure ciphers: Ciphers with cipher block-size less than 128 bits (most commonly `BF`, `DES`, `CAST5`, `IDEA` and `RC2`) ==
     82== Policy: Removal of insecure ciphers: Ciphers with cipher block-size less than 128 bits (most commonly `BF`, `DES`, `CAST5`, `IDEA` and `RC2`) ==
    8383||=Status =||Pending removal ||
    8484||=Deprecated in: =||OpenVPN v2.4 ||
     
    9090After the discovery of the [https://sweet32.info SWEET32 Birthday attacks on 64-bit block ciphers] any cipher using a cipher block length smaller than 128 bits is considered insecure and prune to be successfully attacked.  The cipher block length is '''''not''''' an indication of the cipher ''key'' length.
    9191
    92 === Migrating away from deprecated ciphers ===
     92== Policy: Migrating away from deprecated ciphers
    9393With the OpenVPN v2.4 release a new feature was introduced, Negotiable Crypto Parameters (NCP).  This allows users to seamlessly migrate away from deprecated ciphers without much extra work.  If both client and server runs OpenVPN v2.4 ''without'' NCP being disabled (`--ncp-disable`), the tunnel will automatically be upgraded to `AES-256-GCM`.  If the environment also uses clients older than OpenVPN v2.4, the server can deploy:
    9494{{{
     
    101101'''NOTE:''' For Fedora 27, if the `openvpn-server@.service` unit file is used for ''server configurations'', this migration path have already been enabled.
    102102
    103 == `--keysize` ==
     103== Option: `--keysize` ==
    104104||=Status =||Pending removal ||
    105105||=Deprecated in: =||OpenVPN v2.4 ||
     
    111111The `--keysize` option was only useful to change the key length when using the `BF`, `CAST6` or `RC2` ciphers.  For all other ciphers the key-size is fixed with the chosen cipher.  As OpenVPN v2.6 will no longer support any of these variable length ciphers, this option will be removed as well to avoid confusion.
    112112
    113 == `--comp-lzo` ==
     113== Option: `--comp-lzo` ==
    114114||=Status =||Currently not planned for removal, see description for details ||
    115115||=Deprecated in: =||OpenVPN v2.4 ||
     
    125125
    126126Contrary to prior statements `--comp-lzo no` is not compatible with the `--compress` counterpart. Therefore openvpn needs to keep supporting `--comp-lzo no` for backward compatibility.
    127 == `--ifconfig-pool-linear` ==
     127
     128== Option: `--ifconfig-pool-linear` ==
    128129||=Status =||Pending removal ||
    129130||=Deprecated in: =||OpenVPN v2.1 ||
     
    135136This option will not work with Windows based clients.  Since the `--topology p2p` mode is equivalent  to `--ifconfig-pool-linear` and works with Windows, this option will be removed.
    136137
    137 == `--client-cert-not-required` ==
     138== Option: `--client-cert-not-required` ==
    138139||=Status =||Pending removal ||
    139140||=Deprecated in: =||OpenVPN v2.4 ||
     
    147148The replacement option allows a far more fine grained control of authentication methods, and can allow a combination of only username/password authentication, only certificate based authentication or a combination.  This would not be possible with the old `--client-cert-not-required` option.
    148149
    149 == `--ns-cert-type` ==
     150== Option: `--ns-cert-type` ==
    150151||=Status =||Pending removal ||
    151152||=Deprecated in: =||OpenVPN v2.4 and v2.3.18 ||
     
    159160
    160161
    161 == `--tun-ipv6` ==
     162== Option: `--tun-ipv6` ==
    162163||=Status =||Removed in OpenVPN 2.4l ||
    163164||=Deprecated in: =||OpenVPN v2.4 ||
     
    174175
    175176
    176 == Automatic Up-casing of X509 Certificate fieldnames ==
     177== Policy: Automatic Up-casing of X509 Certificate fieldnames ==
    177178||=Status =||Planned for removal ||
    178179||=Deprecated in: =||OpenVPN v2.3 ||
     
    185186See --x509-username-field in https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage for a detailed explanation.
    186187
    187 == `--max-routes` ==
     188== Option: `--max-routes` ==
    188189||=Status =||Planned for removal ||
    189190||=Deprecated in: =||OpenVPN v2.4 ||
     
    194195||=Examples: =|| ||
    195196
    196 == `--dhcp-release` ==
     197== Option: `--dhcp-release` ==
    197198||=Status =||Enabled by default ||
    198199||=Deprecated in: =||OpenVPN v2.4 ||