[Openvpn-devel] [PATCH] Deprecate --keysize

Sat, 01 Jul 2017 04:32:24 -0700 

The --keysize option can only be used with already deprecated ciphers,
such as CAST5, RC2 or BF.  Deviating from the default keysize is
generally not a good idea (see man page text), and otherwise only
complicates our code.

(If this patch is accepted, I'll send a follow-up patch to remove the
option from the master branch.)

Signed-off-by: Steffan Karger <stef...@karger.me>
---
 Changes.rst           | 1 +
 doc/openvpn.8         | 4 ++++
 src/openvpn/options.c | 5 +++++
 3 files changed, 10 insertions(+)

diff --git a/Changes.rst b/Changes.rst
index 39d83a2d..fdb56752 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -313,6 +313,7 @@ Deprecated features
 -------------------
 - ``--no-replay`` is deprecated and will be removed in OpenVPN 2.5.
 
+- ``--keysize`` is deprecated and will be removed in OpenVPN 2.5.
 
 Version 2.4.3
 =============
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 3600b8fa..c373c2af 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -4217,6 +4217,10 @@ negotiation.
 .\"*********************************************************
 .TP
 .B \-\-keysize n
+
+.B DEPRECATED
+This option will be removed in OpenVPN 2.5.
+
 Size of cipher key in bits (optional).
 If unspecified, defaults to cipher-specific default.  The
 .B \-\-show\-ciphers
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 5246cb5a..95fdcc77 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -2489,6 +2489,11 @@ options_postprocess_verify_ce(const struct options 
*options, const struct connec
         msg(M_WARN, "WARNING: --no-replay is DEPRECATED and will be removed in 
2.5");
     }
 
+    if (options->keysize)
+    {
+        msg(M_WARN, "WARNING: --keysize is DEPRECATED and will be removed in 
2.5");
+    }
+
     /*
      * Check consistency of replay options
      */
-- 
2.11.0


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to