Changes between Version 17 and Version 18 of DeprecatedOptions

03/12/19 20:59:53 (15 months ago)



  • DeprecatedOptions

    v17 v18  
    77In this wiki page, we will try to keep an up-to-date list of all options we have deprecated, when they will be removed, the new alternative approach and the reasoning behind removing the option.  This wiki page summarizes the "Deprecated features" section in the [ Changes.rst] file which is distributed with the source code.
    9 [[TOC(notitle,inline, depth=1)]]
    11 == `--key-method` ==
     9[[TOC(notitle, inline)]]
     11== Option: `--key-method` ==
    1212||=Status =||Pending removal ||
    1313||=Deprecated in: =||OpenVPN v2.4 ||
    1919OpenVPN have used `--key-method 2` since OpenVPN v2.0 if it was not provided.  Using the older `--key-method 1` was primarily present to allow OpenVPN clients running older releases than v2.0 to connect to a v2.0 server.  This older key-method is not recommended as the key negotiation method is not as strong as the current default.
    21 == `--tls-remote` ==
     21== Option: `--tls-remote` ==
    2222||=Status =||**Removed in OpenVPN v2.4.0** ||
    2323||=Deprecated in: =||OpenVPN v2.3 ||
    3030|| ||`--verify-x509-name Server name-prefix` ||
    32 == `--compat-names` ==
     32== Option: `--compat-names` ==
    3333||=Status =||**Removed in OpenVPN v2.5** ||
    3434||=Deprecated in: =||OpenVPN v2.3 ||
    4848This option would in addition add remapping of characters and rendering most characters outside the typical a-z/A-Z/0-9 range to be replaced by an underscore (_) - unless the `no-remapping` flag was added.  This behaviour would in many cases be required by older authentication plug-ins or scripts which was not able to process the newer format.  As this behaviour is now considered bad, it is expected that authentication plug-ins and scripts will have had enough time to get an update to handle the new X.509 Subject formatting.
    50 == `--no-name-remapping` ==
     50== Option: `--no-name-remapping` ==
    5151||=Status =||**Removed in OpenVPN v2.5** ||
    5252||=Deprecated in: =||OpenVPN v2.3 ||
    5858This is essentially just an alias for `--compat-names no-remapping`.  This option would avoid the character remapping of characters being outside the typical a-z/A-Z/0-9 range in the X.509 Subject identifiers.
    60 == `--no-iv` ==
     60== Option: `--no-iv` ==
    6161||=Status =|| Removed in master branch ||
    6262||=Deprecated in: =||OpenVPN v2.4 ||
    71 == `--no-replay` ==
     71== Option: `--no-replay` ==
    7272||=Status =||Pending removal ||
    7373||=Deprecated in: =||OpenVPN v2.4 ||
    82 == Removal of insecure ciphers: Ciphers with cipher block-size less than 128 bits (most commonly `BF`, `DES`, `CAST5`, `IDEA` and `RC2`) ==
     82== Policy: Removal of insecure ciphers: Ciphers with cipher block-size less than 128 bits (most commonly `BF`, `DES`, `CAST5`, `IDEA` and `RC2`) ==
    8383||=Status =||Pending removal ||
    8484||=Deprecated in: =||OpenVPN v2.4 ||
    9090After the discovery of the [ SWEET32 Birthday attacks on 64-bit block ciphers] any cipher using a cipher block length smaller than 128 bits is considered insecure and prune to be successfully attacked.  The cipher block length is '''''not''''' an indication of the cipher ''key'' length.
    92 === Migrating away from deprecated ciphers ===
     92== Policy: Migrating away from deprecated ciphers
    9393With the OpenVPN v2.4 release a new feature was introduced, Negotiable Crypto Parameters (NCP).  This allows users to seamlessly migrate away from deprecated ciphers without much extra work.  If both client and server runs OpenVPN v2.4 ''without'' NCP being disabled (`--ncp-disable`), the tunnel will automatically be upgraded to `AES-256-GCM`.  If the environment also uses clients older than OpenVPN v2.4, the server can deploy:
    101101'''NOTE:''' For Fedora 27, if the `openvpn-server@.service` unit file is used for ''server configurations'', this migration path have already been enabled.
    103 == `--keysize` ==
     103== Option: `--keysize` ==
    104104||=Status =||Pending removal ||
    105105||=Deprecated in: =||OpenVPN v2.4 ||
    111111The `--keysize` option was only useful to change the key length when using the `BF`, `CAST6` or `RC2` ciphers.  For all other ciphers the key-size is fixed with the chosen cipher.  As OpenVPN v2.6 will no longer support any of these variable length ciphers, this option will be removed as well to avoid confusion.
    113 == `--comp-lzo` ==
     113== Option: `--comp-lzo` ==
    114114||=Status =||Currently not planned for removal, see description for details ||
    115115||=Deprecated in: =||OpenVPN v2.4 ||
    126126Contrary to prior statements `--comp-lzo no` is not compatible with the `--compress` counterpart. Therefore openvpn needs to keep supporting `--comp-lzo no` for backward compatibility.
    127 == `--ifconfig-pool-linear` ==
     128== Option: `--ifconfig-pool-linear` ==
    128129||=Status =||Pending removal ||
    129130||=Deprecated in: =||OpenVPN v2.1 ||
    135136This option will not work with Windows based clients.  Since the `--topology p2p` mode is equivalent  to `--ifconfig-pool-linear` and works with Windows, this option will be removed.
    137 == `--client-cert-not-required` ==
     138== Option: `--client-cert-not-required` ==
    138139||=Status =||Pending removal ||
    139140||=Deprecated in: =||OpenVPN v2.4 ||
    147148The replacement option allows a far more fine grained control of authentication methods, and can allow a combination of only username/password authentication, only certificate based authentication or a combination.  This would not be possible with the old `--client-cert-not-required` option.
    149 == `--ns-cert-type` ==
     150== Option: `--ns-cert-type` ==
    150151||=Status =||Pending removal ||
    151152||=Deprecated in: =||OpenVPN v2.4 and v2.3.18 ||
    161 == `--tun-ipv6` ==
     162== Option: `--tun-ipv6` ==
    162163||=Status =||Removed in OpenVPN 2.4l ||
    163164||=Deprecated in: =||OpenVPN v2.4 ||
    176 == Automatic Up-casing of X509 Certificate fieldnames ==
     177== Policy: Automatic Up-casing of X509 Certificate fieldnames ==
    177178||=Status =||Planned for removal ||
    178179||=Deprecated in: =||OpenVPN v2.3 ||
    185186See --x509-username-field in for a detailed explanation.
    187 == `--max-routes` ==
     188== Option: `--max-routes` ==
    188189||=Status =||Planned for removal ||
    189190||=Deprecated in: =||OpenVPN v2.4 ||
    194195||=Examples: =|| ||
    196 == `--dhcp-release` ==
     197== Option: `--dhcp-release` ==
    197198||=Status =||Enabled by default ||
    198199||=Deprecated in: =||OpenVPN v2.4 ||