On 17/07/2020 15:47, Arne Schwabe wrote: > The change in name signals that data-ciphers is the preferred way to > configure data channel (and not --cipher). The data prefix is chosen > to avoid ambiguity and make it distinct from tls-cipher for the TLS > ciphers. > > Signed-off-by: Arne Schwabe <a...@rfc2549.org> > --- > Changes.rst | 13 ++++++++++--- > doc/man-sections/protocol-options.rst | 11 +++++++---- > doc/man-sections/server-options.rst | 4 ++-- > sample/sample-config-files/client.conf | 2 +- > src/openvpn/multi.c | 4 ++-- > src/openvpn/options.c | 5 +++-- > src/openvpn/ssl_ncp.c | 4 ++-- > 7 files changed, 27 insertions(+), 16 deletions(-) > [...snip...] > diff --git a/src/openvpn/options.c b/src/openvpn/options.c > index 31e33ae3..896abcde 100644 > --- a/src/openvpn/options.c > +++ b/src/openvpn/options.c > @@ -536,7 +536,7 @@ static const char usage_message[] = > "--cipher alg : Encrypt packets with cipher algorithm alg\n" > " (default=%s).\n" > " Set alg=none to disable encryption.\n" > - "--ncp-ciphers list : List of ciphers that are allowed to be > negotiated.\n" > + "--data-ciphers list : List of ciphers that are allowed to be > negotiated.\n" > "--ncp-disable : (DEPRECATED) Disable cipher negotiation.\n" > "--prng alg [nsl] : For PRNG, use digest algorithm alg, and\n" > " nonce_secret_len=nsl. Set alg=none to disable > PRNG.\n" > @@ -7866,7 +7866,8 @@ add_option(struct options *options, > VERIFY_PERMISSION(OPT_P_NCP|OPT_P_INSTANCE); > options->ciphername = p[1]; > } > - else if (streq(p[0], "ncp-ciphers") && p[1] && !p[2]) > + else if ((streq(p[0], "data-ciphers") || streq(p[0], "ncp-ciphers")) > + && p[1] && !p[2])
I do agree to using --data-ciphers instead of --ncp-ciphers, that is far more user-friendly naming of this feature. NCP is a more technical "under-the-hood" terminology which users don't really need to relate to, where --data-ciphers better explains what it is used for. But I do reject NOT adding a deprecation path for --ncp-ciphers. We should support --ncp-ciphers for 1-2 major releases, but after that it should be removed. We have too many options and we certainly should avoid duplicating options with the exact same functionality. -- kind regards, David Sommerseth OpenVPN Inc
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
