Highlight deprecated features

We have quite a list of deprecated options currently.  Ensure this
is highlighted both in documentation and code.

This patch builds on the wiki page [1] enlisting all deprecated features
and their status.  There are also some options not listed here, as
there exists patches in release/2.4 which awaits an update for git master.

[1] https://community.openvpn.net/openvpn/wiki/DeprecatedOptions

Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20170815215451.21662-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15261.html
Signed-off-by: David Sommerseth <davids@openvpn.net>

Changes.rst

@@ -161,6 +161,9 @@ Asynchronous push reply
 
 Deprecated features
 -------------------
+For an up-to-date list of all deprecated options, see this wiki page:
+https://community.openvpn.net/openvpn/wiki/DeprecatedOptions
+
 - ``--key-method 1`` is deprecated in 2.4 and will be removed in 2.5.  Migrate
   away from ``--key-method 1`` as soon as possible.  The recommended approach
   is to remove the ``--key-method`` option from the configuration files, OpenVPN
@@ -181,6 +184,18 @@ Deprecated features
 - ``--keysize`` is deprecated and will be removed in v2.6 together
   with the support of ciphers with cipher block size less than 128 bits.
 
+- ``--comp-lzo`` is deprecated in OpenVPN 2.4.  Use ``--compress`` instead.
+
+- ``--ifconfig-pool-linear`` has been deprecated since OpenVPN 2.1 and will be
+  removed in v2.5.  Use ``--topology p2p`` instead.
+
+- ``--client-cert-not-required`` is deprecated in OpenVPN 2.4 and will be removed
+  in v2.5.  Use ``--verify-client-cert none`` for a functional equivalent.
+
+- ``--ns-cert-type`` is deprecated in OpenVPN 2.3.18 and v2.4.  It will be removed
+  in v2.5.  Use the far better ``--remote-cert-tls`` option which replaces this
+  feature.
+
 
 User-visible Changes
 --------------------

doc/openvpn.8

@@ -769,7 +769,8 @@ Only use
 when none of the connecting clients are Windows systems.  This mode
 is functionally equivalent to the
 .B \-\-ifconfig\-pool\-linear
-directive which is available in OpenVPN 2.0 and is now deprecated.
+directive which is available in OpenVPN 2.0, is deprecated and will be
+removed in OpenVPN 2.5
 
 .B subnet \-\-
 Use a subnet rather than a point-to-point topology by
@@ -2485,15 +2486,17 @@ setting to be pushed later.
 .\"*********************************************************
 .TP
 .B \-\-comp\-lzo [mode]
+.B DEPRECATED
+This option will be removed in a future OpenVPN release.  Use the
+newer
+.B \-\-compress
+instead.
+
 Use LZO compression -- may add up to 1 byte per
 packet for incompressible data.
 .B mode
 may be "yes", "no", or "adaptive" (default).
 
-This option is deprecated in favor of the newer
-.B --compress
-option.
-
 In a server mode setup, it is possible to selectively turn
 compression on or off for individual clients.
 
@@ -3106,9 +3109,13 @@ a common name and IP address.  They do not guarantee that the given common
 name will always receive the given IP address.  If you want guaranteed
 assignment, use
 .B \-\-ifconfig\-push
+
 .\"*********************************************************
 .TP
 .B \-\-ifconfig\-pool\-linear
+.B DEPRECATED
+This option will be removed in OpenVPN 2.5
+
 Modifies the
 .B \-\-ifconfig\-pool
 directive to
@@ -3671,15 +3678,16 @@ to empty strings ("").  The authentication module/script MUST have logic
 to detect this condition and respond accordingly.
 .\"*********************************************************
 .TP
-.B \-\-client\-cert\-not\-required (DEPRECATED)
+.B \-\-client\-cert\-not\-required
+.B DEPRECATED
+This option will be removed in OpenVPN 2.5
+
 Don't require client certificate, client will authenticate
 using username/password only.  Be aware that using this directive
 is less secure than requiring certificates from all clients.
 
-
 .B Please note:
-This option is now deprecated and will be removed in OpenVPN v2.5.
-It is replaced by
+This is replaced by
 .B \-\-verify\-client\-cert
 which allows for more flexibility. The option
 .B \-\-verify\-client\-cert none
@@ -3744,7 +3752,10 @@ the authenticated username as the common name,
 rather than the common name from the client cert.
 .\"*********************************************************
 .TP
-.B \-\-compat\-names [no\-remapping] (DEPRECATED)
+.B \-\-compat\-names [no\-remapping]
+.B DEPRECATED
+This option will be removed in OpenVPN 2.5
+
 Until OpenVPN v2.3 the format of the X.509 Subject fields was formatted
 like this:
 .IP
@@ -3792,7 +3803,10 @@ to make the transition to the new formatting less intrusive.  It will be
 removed in OpenVPN v2.5.  So please update your scripts/plug-ins where necessary.
 .\"*********************************************************
 .TP
-.B \-\-no\-name\-remapping (DEPRECATED)
+.B \-\-no\-name\-remapping
+.B DEPRECATED
+This option will be removed in OpenVPN 2.5
+
 The
 .B \-\-no\-name\-remapping
 option is an alias for
@@ -4150,13 +4164,29 @@ For more information on HMAC see
 .B \-\-cipher alg
 Encrypt data channel packets with cipher algorithm
 .B alg.
+
 The default is
 .B BF-CBC,
-an abbreviation for Blowfish in Cipher Block Chaining mode.
+an abbreviation for Blowfish in Cipher Block Chaining mode.  When cipher
+negotiation (NCP) is allowed, OpenVPN 2.4 and newer on both client and server
+side will automatically upgrade to
+.B AES-256-GCM.
+See
+.B \-\-ncp\-ciphers
+and
+.B \-\-ncp\-disable
+for more details on NCP.
 
-Using BF-CBC is no longer recommended, because of it's 64-bit block size.  This
+Using
+.B BF-CBC
+is no longer recommended, because of its 64-bit block size.  This
 small block size allows attacks based on collisions, as demonstrated by SWEET32.
-See https://community.openvpn.net/openvpn/wiki/SWEET32 for details.
+See https://community.openvpn.net/openvpn/wiki/SWEET32 for details.  Due to
+this, support for
+.B BF-CBC, DES, CAST5, IDEA
+and
+.B RC2
+ciphers will be removed in OpenVPN 2.6.
 
 To see other ciphers that are available with OpenVPN, use the
 .B \-\-show\-ciphers
@@ -4166,14 +4196,6 @@ Set
 .B alg=none
 to disable encryption.
 
-As of OpenVPN 2.4, cipher negotiation (NCP) can override the cipher specified by
-.B \-\-cipher\fR.
-See
-.B \-\-ncp\-ciphers
-and
-.B \-\-ncp\-disable
-for more on NCP.
-
 .\"*********************************************************
 .TP
 .B \-\-ncp\-ciphers cipher_list
@@ -4260,6 +4282,9 @@ supported by OpenSSL.
 .\"*********************************************************
 .TP
 .B \-\-no\-replay
+.B DEPRECATED
+This option will be removed in OpenVPN 2.5.
+
 (Advanced) Disable OpenVPN's protection against replay attacks.
 Don't use this option unless you are prepared to make
 a tradeoff of greater efficiency in exchange for less
@@ -4423,7 +4448,6 @@ This option only makes sense when replay protection is enabled
 .\"*********************************************************
 .TP
 .B \-\-no\-iv
-
 .B DEPRECATED
 This option will be removed in OpenVPN 2.5.
 
@@ -4823,6 +4847,9 @@ Certificate Store GUI.
 .\"*********************************************************
 .TP
 .B \-\-key\-method m
+.B DEPRECATED
+This option will be removed in OpenVPN 2.5
+
 Use data channel key negotiation method
 .B m.
 The key method must match on both sides of the connection.
@@ -5379,8 +5406,9 @@ as X509_<depth>_<attribute>=<value>.  Multiple
 options can be defined to track multiple attributes.
 .\"*********************************************************
 .TP
-.B \-\-ns\-cert\-type client|server (DEPRECATED)
-This option is deprecated.  Use the more modern equivalent
+.B \-\-ns\-cert\-type client|server
+.B DEPRECATED
+This option will be removed in OpenVPN 2.5.  Use the more modern equivalent
 .B \-\-remote\-cert\-tls
 instead.  This option will be removed in OpenVPN 2.5.
 

src/openvpn/options.c

@@ -415,8 +415,9 @@ static const char usage_message[] =
     "                  client instance.\n"
     "--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets\n"
     "                  to be dynamically allocated to connecting clients.\n"
-    "--ifconfig-pool-linear : Use individual addresses rather than /30 subnets\n"
-    "                  in tun mode.  Not compatible with Windows clients.\n"
+    "--ifconfig-pool-linear : (DEPRECATED) Use individual addresses rather \n"
+    "                  than /30 subnets\n in tun mode.  Not compatible with\n"
+    "                  Windows clients.\n"
     "--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool\n"
     "                  data to file, at seconds intervals (default=600).\n"
     "                  If seconds=0, file will be treated as read-only.\n"
@@ -434,7 +435,7 @@ static const char usage_message[] =
     "                  Only valid in a client-specific config file.\n"
     "--disable       : Client is disabled.\n"
     "                  Only valid in a client-specific config file.\n"
-    "--client-cert-not-required : Don't require client certificate, client\n"
+    "--client-cert-not-required : (DEPRECATED) Don't require client certificate, client\n"
     "                  will authenticate using username/password.\n"
     "--verify-client-cert [none|optional|require] : perform no, optional or\n"
     "                  mandatory client certificate verification.\n"
@@ -455,7 +456,7 @@ static const char usage_message[] =
     "                  with those of the server will be disconnected.\n"
     "--auth-user-pass-optional : Allow connections by clients that don't\n"
     "                  specify a username/password.\n"
-    "--no-name-remapping : Allow Common Name and X509 Subject to include\n"
+    "--no-name-remapping : (DEPRECATED) Allow Common Name and X509 Subject to include\n"
     "                      any printable character.\n"
     "--client-to-client : Internally route client-to-client traffic.\n"
     "--duplicate-cn  : Allow multiple clients with the same common name to\n"
@@ -539,13 +540,13 @@ static const char usage_message[] =
     "--prng alg [nsl] : For PRNG, use digest algorithm alg, and\n"
     "                   nonce_secret_len=nsl.  Set alg=none to disable PRNG.\n"
 #ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH
-    "--keysize n     : Size of cipher key in bits (optional).\n"
+    "--keysize n     : (DEPRECATED) Size of cipher key in bits (optional).\n"
     "                  If unspecified, defaults to cipher-specific default.\n"
 #endif
 #ifndef ENABLE_CRYPTO_MBEDTLS
     "--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n"
 #endif
-    "--no-replay     : Disable replay protection.\n"
+    "--no-replay     : (DEPRECATED) Disable replay protection.\n"
     "--mute-replay-warnings : Silence the output of replay warnings to log file.\n"
     "--replay-window n [t]  : Use a replay protection sliding window of size n\n"
     "                         and a time window of t seconds.\n"
@@ -563,7 +564,7 @@ static const char usage_message[] =
     "(These options are meaningful only for TLS-mode)\n"
     "--tls-server    : Enable TLS and assume server role during TLS handshake.\n"
     "--tls-client    : Enable TLS and assume client role during TLS handshake.\n"
-    "--key-method m  : Data channel key exchange method.  m should be a method\n"
+    "--key-method m  : (DEPRECATED) Data channel key exchange method.  m should be a method\n"
     "                  number, such as 1 (default), 2, etc.\n"
     "--ca file       : Certificate authority file in .pem format containing\n"
     "                  root certificate.\n"
@@ -6570,6 +6571,7 @@ add_option(struct options *options,
     {
         VERIFY_PERMISSION(OPT_P_GENERAL);
         options->topology = TOP_P2P;
+        msg(M_WARN, "DEPRECATED OPTION: --ifconfig-pool-linear, use --topology p2p instead");
     }
     else if (streq(p[0], "ifconfig-ipv6-pool") && p[1] && !p[2])
     {