OpenVPN/openvpn
1
0
Fork 0
mirror of https://github.com/OpenVPN/openvpn.git synced 2025-05-09 13:41:06 +08:00
Code Issues Packages Projects Releases Wiki Activity

Deprecate --no-replay

Browse Source 
Following the removal of --no-iv, and as suggested by both recent audits
(and done by OpenVPN-NL for 7 years now), it's time to get rid of the
--no-replay option.

The only valid use case I can imagine is to slightly reduce the per-packet
overhead for setups that do not use any authentication mechanism, but I
do not believe that warrants keeping an option around that generally
reduces security and makes our code more complex.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20170701112208.18803-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15003.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
This commit is contained in:
Steffan Karger 2017-07-01 13:22:08 +02:00 committed by David Sommerseth
parent e2ab495852
commit e3da00918d
No known key found for this signature in database
GPG Key ID: 86CF944C9671FDF2
3 changed files with 17 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Changes.rst
View File

@ -310,6 +310,14 @@ Maintainer-visible changes
Version 2.4.4
=============
Deprecated features
-------------------
- ``--no-replay`` is deprecated and will be removed in OpenVPN 2.5.
Version 2.4.3
=============

3
doc/openvpn.8
View File

@ -4261,6 +4261,9 @@ supported by OpenSSL.
.\"*********************************************************
.TP
.B \-\-no\-replay
.B DEPRECATED
This option will be removed in OpenVPN 2.5.
(Advanced) Disable OpenVPN's protection against replay attacks.
Don't use this option unless you are prepared to make
a tradeoff of greater efficiency in exchange for less

7
src/openvpn/options.c
View File

@ -545,7 +545,7 @@ static const char usage_message[] =
#ifndef ENABLE_CRYPTO_MBEDTLS
"--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n"
#endif
"--no-replay : Disable replay protection.\n"
"--no-replay : (DEPRECATED) Disable replay protection.\n"
"--mute-replay-warnings : Silence the output of replay warnings to log file.\n"
"--replay-window n [t] : Use a replay protection sliding window of size n\n"
" and a time window of t seconds.\n"
@ -2500,6 +2500,11 @@ options_postprocess_verify_ce(const struct options *options, const struct connec
msg(M_WARN, "WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6");
}
if (!options->replay)
{
msg(M_WARN, "WARNING: --no-replay is DEPRECATED and will be removed in OpenVPN 2.5");
}
/*
* Check consistency of replay options
*/