Hi, On 25/03/2021 20:29, Matthias Andree wrote: > I find the reasons you present to withdraw the symmetric non-TLS mode > too weak to justify its deprecation or removal. Yes, TLS-based > configurations may be more feature-rich, but those are not mandatory and > we should not paternalize the users here. Is there a considerable > technical debt to keeping the --secret option? WireGuard seems to be > becoming quite popular and it provides low-ceremony setups - just as > openvpn --secret does. >
The new --peer-fingerprint option offers a similar "quick setup" feature that old users of --secret may want to switch to. > And to make a blunt point, it's not useless just because it's old, else > we should nuke DNS and SMTP. It's not about being old. It's about being insecure. With --secret (i.e. PSK encryption) there is no key renegotiation/rotation. This means IVs will be eventually re-used, which translates to encryption losing part of its strength. This is unacceptable and users should be prevented from hitting this situation. Regards, -- Antonio Quartulli _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
