mirror/openvpn
0
0
Fork 0
mirror of https://github.com/OpenVPN/openvpn.git synced 2024-09-20 03:52:28 +02:00
Code

doc/man: Mark compression options as deprecated

Browse Source 
Due to the VORACLE attack vector, compression in general is deprecated.
Make this clear in the man page.

Also remove an incorrect statement claiming --compress lzo is compatible
with --comp-lzo.  It is not, as --compress lzo uses a different
compression framing than --comp-lzo.

Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200716225338.611-6-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20417.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This commit is contained in:
David Sommerseth 2020-07-17 00:53:35 +02:00 committed by Gert Doering
parent f500c49c8e
commit 850fd5fab7
1 changed files with 7 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
doc/man-sections/protocol-options.rst
View File

@ -60,9 +60,7 @@ configured in a compatible way between both the local and remote side.
The ``algorithm`` parameter may be :code:`lzo`, :code:`lz4`, or empty. The ``algorithm`` parameter may be :code:`lzo`, :code:`lz4`, or empty.
LZO and LZ4 are different compression algorithms, with LZ4 generally LZO and LZ4 are different compression algorithms, with LZ4 generally
offering the best performance with least CPU usage. For backwards offering the best performance with least CPU usage.
compatibility with OpenVPN versions before v2.4, use :code:`lzo` (which
is identical to the older option ``--comp-lzo yes``).
If the ``algorithm`` parameter is empty, compression will be turned off, If the ``algorithm`` parameter is empty, compression will be turned off,
but the packet framing for compression will still be enabled, allowing a but the packet framing for compression will still be enabled, allowing a
@ -79,8 +77,9 @@ configured in a compatible way between both the local and remote side.
*not* enable compression. *not* enable compression.
--comp-lzo mode --comp-lzo mode
*DEPRECATED* This option will be removed in a future OpenVPN release. **DEPRECATED** Enable LZO compression algorithm. Compression is
Use the newer ``--compress`` instead. generally not recommended. VPN tunnels which uses compression are
suspectible to the VORALCE attack vector.
Use LZO compression -- may add up to 1 byte per packet for incompressible Use LZO compression -- may add up to 1 byte per packet for incompressible
data. ``mode`` may be :code:`yes`, :code:`no`, or :code:`adaptive` data. ``mode`` may be :code:`yes`, :code:`no`, or :code:`adaptive`
@ -106,9 +105,9 @@ configured in a compatible way between both the local and remote side.
link, the second sets the client side. link, the second sets the client side.
--comp-noadapt --comp-noadapt
When used in conjunction with ``--comp-lzo``, this option will disable **DEPRECATED** When used in conjunction with ``--comp-lzo``, this option
OpenVPN's adaptive compression algorithm. Normally, adaptive compression will disable OpenVPN's adaptive compression algorithm. Normally, adaptive
is enabled with ``--comp-lzo``. compression is enabled with ``--comp-lzo``.
Adaptive compression tries to optimize the case where you have Adaptive compression tries to optimize the case where you have
compression enabled, but you are sending predominantly incompressible compression enabled, but you are sending predominantly incompressible