diff --git a/Changes.rst b/Changes.rst index 77bcef26644..3676dce5b52 100644 --- a/Changes.rst +++ b/Changes.rst @@ -1,3 +1,15 @@ +Overview of changes in 2.7 +========================== +``secret`` support has been removed by default. + static key mode (non-TLS) is no longer considered "good and secure enough" + for today's requirements. Use TLS mode instead. If deploying a PKI CA + is considered "too complicated", using ``--peer-fingerprint`` makes + TLS mode about as easy as using ``--secret``. + + This mode can still be enabled by using + ``--allow-deprecated-insecure-static-crypto`` but will be removed in + OpenVPN 2.8. + Overview of changes in 2.6 ========================== diff --git a/doc/man-sections/encryption-options.rst b/doc/man-sections/encryption-options.rst index abc73d90c10..3b2678293d1 100644 --- a/doc/man-sections/encryption-options.rst +++ b/doc/man-sections/encryption-options.rst @@ -69,20 +69,20 @@ Generating key material $ openvpn --tls-crypt-v2 v2crypt-server.key --genkey tls-crypt-v2-client v2crypt-client-1.key * Generating *Shared Secret Keys* - Generate a shared secret, for use with the ``--secret``, ``--tls-auth`` + Generate a shared secret, for use with the ``--tls-auth`` or ``--tls-crypt`` options. Syntax: :: - $ openvpn --genkey secret|tls-crypt|tls-auth keyfile + $ openvpn --genkey tls-crypt|tls-auth keyfile - The key is saved in ``keyfile``. All three variants (``--secret``, - ``tls-crypt`` and ``tls-auth``) generate the same type of key. The - aliases are added for convenience. + The key is saved in ``keyfile``. Both variants (``tls-crypt`` and + ``tls-auth``) generate the same type of key. The aliases are added for + convenience. - If using this for ``--secret``, this file must be shared with the peer - over a pre-existing secure channel such as ``scp``\(1). + This file must be shared with the peer over a pre-existing secure + channel such as ``scp``\(1). * Generating *TLS Crypt v2 Server key* Generate a ``--tls-crypt-v2`` key to be used by an OpenVPN server. diff --git a/doc/man-sections/inline-files.rst b/doc/man-sections/inline-files.rst index 01e4a840604..f46301e8583 100644 --- a/doc/man-sections/inline-files.rst +++ b/doc/man-sections/inline-files.rst @@ -3,7 +3,7 @@ INLINE FILE SUPPORT OpenVPN allows including files in the main configuration for the ``--ca``, ``--cert``, ``--dh``, ``--extra-certs``, ``--key``, ``--pkcs12``, -``--secret``, ``--crl-verify``, ``--http-proxy-user-pass``, ``--tls-auth``, +``--crl-verify``, ``--http-proxy-user-pass``, ``--tls-auth``, ``--auth-gen-token-secret``, ``--peer-fingerprint``, ``--tls-crypt``, ``--tls-crypt-v2`` and ``--verify-hash`` options. diff --git a/doc/man-sections/link-options.rst b/doc/man-sections/link-options.rst index 675fee4cec9..ca26bfe944c 100644 --- a/doc/man-sections/link-options.rst +++ b/doc/man-sections/link-options.rst @@ -226,10 +226,7 @@ the local and the remote host. Ping remote over the TCP/UDP control channel if no packets have been sent for at least ``n`` seconds (specify ``--ping`` on both peers to cause ping packets to be sent in both directions since OpenVPN ping - packets are not echoed like IP ping packets). When used in one of - OpenVPN's secure modes (where ``--secret``, ``--tls-server`` or - ``--tls-client`` is specified), the ping packet will be - cryptographically secure. + packets are not echoed like IP ping packets). This option has two intended uses: @@ -427,8 +424,7 @@ the local and the remote host. received by the prior session. This option only makes sense when replay protection is enabled (the - default) and you are using either ``--secret`` (shared-secret key mode) - or TLS mode with ``--tls-auth``. + default) and you are using TLS mode with ``--tls-auth``. --session-timeout n Raises :code:`SIGTERM` for the client instance after ``n`` seconds since diff --git a/doc/man-sections/protocol-options.rst b/doc/man-sections/protocol-options.rst index 81341578619..948c0c89b63 100644 --- a/doc/man-sections/protocol-options.rst +++ b/doc/man-sections/protocol-options.rst @@ -73,9 +73,7 @@ configured in a compatible way between both the local and remote side. configured on the data channel, however, later versions usually ignored this directive in favour of a negotiated cipher. Starting with 2.6.0, this option is always ignored in TLS mode - when it comes to configuring the cipher and will only control the - cipher for ``--secret`` pre-shared-key mode (note: this mode is - deprecated and strictly not recommended). + when it comes to configuring the cipher. If you wish to specify the cipher to use on the data channel, please see ``--data-ciphers`` (for regular negotiation) and @@ -182,7 +180,7 @@ configured in a compatible way between both the local and remote side. --key-direction Alternative way of specifying the optional direction parameter for the - ``--tls-auth`` and ``--secret`` options. Useful when using inline files + ``--tls-auth`` option. Useful when using inline files (See section on inline files). --data-ciphers cipher-list @@ -234,54 +232,10 @@ configured in a compatible way between both the local and remote side. have been configured with ``--enable-small`` (typically used on routers or other embedded devices). ---secret args - **DEPRECATED** Enable Static Key encryption mode (non-TLS). Use pre-shared secret - ``file`` which was generated with ``--genkey``. - Valid syntaxes: - :: - - secret file - secret file direction - - The optional ``direction`` parameter enables the use of 4 distinct keys - (HMAC-send, cipher-encrypt, HMAC-receive, cipher-decrypt), so that each - data flow direction has a different set of HMAC and cipher keys. This - has a number of desirable security properties including eliminating - certain kinds of DoS and message replay attacks. - - When the ``direction`` parameter is omitted, 2 keys are used - bidirectionally, one for HMAC and the other for encryption/decryption. - - The ``direction`` parameter should always be complementary on either - side of the connection, i.e. one side should use :code:`0` and the other - should use :code:`1`, or both sides should omit it altogether. - - The ``direction`` parameter requires that ``file`` contains a 2048 bit - key. While pre-1.5 versions of OpenVPN generate 1024 bit key files, any - version of OpenVPN which supports the ``direction`` parameter, will also - support 2048 bit key file generation using the ``--genkey`` option. - - Static key encryption mode has certain advantages, the primary being - ease of configuration. - - There are no certificates or certificate authorities or complicated - negotiation handshakes and protocols. The only requirement is that you - have a pre-existing secure channel with your peer (such as ``ssh``) to - initially copy the key. This requirement, along with the fact that your - key never changes unless you manually generate a new one, makes it - somewhat less secure than TLS mode (see below). If an attacker manages - to steal your key, everything that was ever encrypted with it is - compromised. Contrast that to the perfect forward secrecy features of - TLS mode (using Diffie Hellman key exchange), where even if an attacker - was able to steal your private key, he would gain no information to help - him decrypt past sessions. - - Another advantageous aspect of Static Key encryption mode is that it is - a handshake-free protocol without any distinguishing signature or - feature (such as a header or protocol handshake sequence) that would - mark the ciphertext packets as being generated by OpenVPN. Anyone - eavesdropping on the wire would see nothing but random-looking data. +--allow-deprecated-insecure-static-crypto + **DEPRECATED** This allow using OpenVPN without TLS. This is deprecated + and will be removed in OpenVPN 2.8. --tran-window n Transition window -- our old key can live this many seconds after a new diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index 80dc77dcb82..14a94801bb5 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -406,7 +406,7 @@ fast hardware. SSL/TLS authentication must be used in this mode. Options that will be compared for compatibility include ``dev-type``, ``link-mtu``, ``tun-mtu``, ``proto``, ``ifconfig``, ``comp-lzo``, ``fragment``, ``keydir``, ``cipher``, - ``auth``, ``keysize``, ``secret``, + ``auth``, ``keysize``, ``tls-auth``, ``key-method``, ``tls-server`` and ``tls-client``. diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst index d51aff77e66..908a42a19a1 100644 --- a/doc/man-sections/tls-options.rst +++ b/doc/man-sections/tls-options.rst @@ -295,8 +295,24 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa Older versions (up to OpenVPN 2.3) supported a freeform passphrase file. This is no longer supported in newer versions (v2.4+). - See the ``--secret`` option for more information on the optional - ``direction`` parameter. + The optional ``direction`` parameter enables the use of 2 distinct keys + (HMAC-send, HMAC-receive), so that each + data flow direction has a different HMAC key. This has a number of desirable + security properties including eliminating certain kinds of DoS and message + replay attacks. + + When the ``direction`` parameter is omitted, the same key is used + bidirectionally. + + The ``direction`` parameter should always be complementary on either + side of the connection, i.e. one side should use :code:`0` and the other + should use :code:`1`, or both sides should omit it altogether. + + The ``direction`` parameter requires that ``file`` contains a 2048 bit + key. While pre-1.5 versions of OpenVPN generate 1024 bit key files, any + version of OpenVPN which supports the ``direction`` parameter, will also + support 2048 bit key file generation using the ``--genkey`` option. + ``--tls-auth`` is recommended when you are running OpenVPN in a mode where it is listening for packets from any IP address, such as when diff --git a/src/openvpn/options.c b/src/openvpn/options.c index c6f9ac30c2a..134bb72eca9 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -531,12 +531,6 @@ static const char usage_message[] = "\n" "Data Channel Encryption Options (must be compatible between peers):\n" "(These options are meaningful for both Static Key & TLS-mode)\n" - "--secret f [d] : (DEPRECATED) Enable Static Key encryption mode (non-TLS).\n" - " Use shared secret file f, generate with --genkey.\n" - " The optional d parameter controls key directionality.\n" - " If d is specified, use separate keys for each\n" - " direction, set d=0 on one side of the connection,\n" - " and d=1 on the other side.\n" "--auth alg : Authenticate packets with HMAC using message\n" " digest algorithm alg (default=%s).\n" " (usually adds 16 or 20 bytes per packet)\n" @@ -619,14 +613,12 @@ static const char usage_message[] = " control channel to protect against attacks on the TLS stack\n" " and DoS attacks.\n" " f (required) is a shared-secret key file.\n" - " The optional d parameter controls key directionality,\n" - " see --secret option for more info.\n" + " The optional d parameter controls key directionality.\n" "--tls-crypt key : Add an additional layer of authenticated encryption on top\n" " of the TLS control channel to hide the TLS certificate,\n" " provide basic post-quantum security and protect against\n" " attacks on the TLS stack and DoS attacks.\n" " key (required) provides the pre-shared key file.\n" - " see --secret option for more info.\n" "--tls-crypt-v2 key : For clients: use key as a client-specific tls-crypt key.\n" " For servers: use key to decrypt client-specific keys. For\n" " key generation (--genkey tls-crypt-v2-client): use key to\n" @@ -759,8 +751,8 @@ static const char usage_message[] = #endif /* ifdef _WIN32 */ "\n" "Generate a new key :\n" - "--genkey secret file : Generate a new random key of type and write to file\n" - " (for use with --secret, --tls-auth or --tls-crypt)." + "--genkey tls-auth file : Generate a new random key of type and write to file\n" + " (for use with --tls-auth or --tls-crypt)." #ifdef ENABLE_FEATURE_TUN_PERSIST "\n" "Tun/tap config mode (available with linux 2.4+):\n" @@ -2823,11 +2815,21 @@ options_postprocess_verify_ce(const struct options *options, if (!options->tls_server && !options->tls_client) { - msg(M_INFO, "DEPRECATION: No tls-client or tls-server option in " - "configuration detected. OpenVPN 2.7 will remove the " + int msglevel = M_USAGE; + if (options->allow_deprecated_insecure_static_crypto) + { + msglevel = M_INFO; + } + + msg(msglevel, "DEPRECATION: No tls-client or tls-server option in " + "configuration detected. OpenVPN 2.8 will remove the " "functionality to run a VPN without TLS. " "See the examples section in the manual page for " - "examples of a similar quick setup with peer-fingerprint."); + "examples of a similar quick setup with peer-fingerprint." + "OpenVPN 2.7 allows using this configuration when using " + "--allow-deprecated-insecure-static-crypto but you should move" + "to a proper configuration using TLS as soon as possible." + ); } if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL)) @@ -8515,6 +8517,12 @@ add_option(struct options *options, } } } + else if (streq(p[0], "allow-deprecated-insecure-static-crypto")) + { + VERIFY_PERMISSION(OPT_P_GENERAL); + options->allow_deprecated_insecure_static_crypto = true; + + } else if (streq(p[0], "genkey") && !p[4]) { VERIFY_PERMISSION(OPT_P_GENERAL); diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 5810fd18e4d..5a37316b601 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -552,6 +552,7 @@ struct options /* Cipher parms */ const char *shared_secret_file; bool shared_secret_file_inline; + bool allow_deprecated_insecure_static_crypto; int key_direction; const char *ciphername; bool enable_ncp_fallback; /**< If defined fall back to diff --git a/tests/t_lpback.sh b/tests/t_lpback.sh index 482016a9986..68df2a69c11 100755 --- a/tests/t_lpback.sh +++ b/tests/t_lpback.sh @@ -97,7 +97,7 @@ set +e for cipher in ${CIPHERS} do test_start "Testing cipher ${cipher}... " - ( "${openvpn}" --test-crypto --secret key.$$ --cipher ${cipher} ) >log.$$ 2>&1 + ( "${openvpn}" --test-crypto --secret key.$$ --allow-deprecated-insecure-static-crypto --cipher ${cipher} ) >log.$$ 2>&1 test_end $? log.$$ done