)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"change_message_id":"f488de7c6ec5bf87cf1439b6dfa9797699c5aeb8","unresolved":true,"context_lines":[{"line_number":4,"context_line":"Commit:     Arne Schwabe \u003carne@rfc2549.org\u003e"},{"line_number":5,"context_line":"CommitDate: 2025-04-23 11:33:23 +0200"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Make dh none behaviour default if not specific and add dh auto"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Nowadays ciphers that are using still DH and not ECDH are rarely chosen"},{"line_number":10,"context_line":"as best cipher suite. Our man page even indicates that OpenSSL 1.0.1+"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"e1153c4e_50db37a0","line":7,"updated":"2025-04-23 11:06:25.000000000","message":"Do you mean \"specified\" instead of \"specific\"?","commit_id":"304122d0014445218526cf8fe5ac6369759053da"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"c723bc77c9642669907dfa001c2ec6b74f0c31dc","unresolved":false,"context_lines":[{"line_number":4,"context_line":"Commit:     Arne Schwabe \u003carne@rfc2549.org\u003e"},{"line_number":5,"context_line":"CommitDate: 2025-04-23 11:33:23 +0200"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Make dh none behaviour default if not specific and add dh auto"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Nowadays ciphers that are using still DH and not ECDH are rarely chosen"},{"line_number":10,"context_line":"as best cipher suite. Our man page even indicates that OpenSSL 1.0.1+"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"52d0bfdd_9f13c56b","line":7,"in_reply_to":"e1153c4e_50db37a0","updated":"2025-04-24 11:20:03.000000000","message":"Done","commit_id":"304122d0014445218526cf8fe5ac6369759053da"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"b86fca1883981384fc263c2fb5a0ea756a038dab","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"1ef3375c_adb1e3eb","updated":"2025-04-29 21:04:21.000000000","message":"After a bit more consideration, I think we should just not bother with auto and just do dh none as default. They are already forbidden to use by BSI TR-02102-4 by 2029 and IETF also deprecates them (https://datatracker.ietf.org/doc/draft-ietf-tls-deprecate-obsolete-kex/).\n\nSo I will update the patch to provide only dh none as default.","commit_id":"665e87ae4d41cb879bc2f3c644e01ec46a11262c"},{"author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"change_message_id":"559b0ce0243d1e96a5e245980e3562b85f49cbfa","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"b415f6e9_c9d3d98b","updated":"2025-04-25 11:39:02.000000000","message":"Some more nitpicking","commit_id":"665e87ae4d41cb879bc2f3c644e01ec46a11262c"},{"author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"change_message_id":"3c24e5ff09e3324d54ac04ec206630afcf62e998","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"960fd4e6_edc7bce4","updated":"2025-05-05 10:43:09.000000000","message":"text in Changes.rst","commit_id":"8fcb01efdd28b23558489632c283d47eb4ab929c"}],"Changes.rst":[{"author":{"_account_id":1000002,"name":"cron2","display_name":"Gert Doering","email":"gert@greenie.muc.de","username":"cron2"},"change_message_id":"3c24e5ff09e3324d54ac04ec206630afcf62e998","unresolved":true,"context_lines":[{"line_number":104,"context_line":"  uppercase. This is deprecated since OpenVPN 2.4, and has now been removed."},{"line_number":105,"context_line":""},{"line_number":106,"context_line":"- ``--dh none`` is now the default if ``--dh`` is specified. Modern TLS"},{"line_number":107,"context_line":"  implementations will prefer ECDH and other more modern algorithm anyway."},{"line_number":108,"context_line":"  And finite field Diffie Hellman is in the proces of being deprecated"},{"line_number":109,"context_line":"  (see draft-ietf-tls-deprecate-obsolete-kex)"},{"line_number":110,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"d1d9e939_7100d9fb","line":107,"updated":"2025-05-05 10:43:09.000000000","message":"this line seems to be missing a \"not\" - `if --dh is not specified`.  No?","commit_id":"8fcb01efdd28b23558489632c283d47eb4ab929c"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"c4eb4a4e1e00759908e3aa8dbffd110455a15bd9","unresolved":false,"context_lines":[{"line_number":104,"context_line":"  uppercase. This is deprecated since OpenVPN 2.4, and has now been removed."},{"line_number":105,"context_line":""},{"line_number":106,"context_line":"- ``--dh none`` is now the default if ``--dh`` is specified. Modern TLS"},{"line_number":107,"context_line":"  implementations will prefer ECDH and other more modern algorithm anyway."},{"line_number":108,"context_line":"  And finite field Diffie Hellman is in the proces of being deprecated"},{"line_number":109,"context_line":"  (see draft-ietf-tls-deprecate-obsolete-kex)"},{"line_number":110,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"35ce90c4_aeef4068","line":107,"in_reply_to":"d1d9e939_7100d9fb","updated":"2025-05-18 20:43:49.000000000","message":"Acknowledged","commit_id":"8fcb01efdd28b23558489632c283d47eb4ab929c"}],"doc/man-sections/tls-options.rst":[{"author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"change_message_id":"f488de7c6ec5bf87cf1439b6dfa9797699c5aeb8","unresolved":true,"context_lines":[{"line_number":180,"context_line":"  ECDH TLS cipher suites (e.g. OpenSSL 1.0.1+, or mbed TLS 2.0+). Starting"},{"line_number":181,"context_line":"  with 2.7.0, this is the same as not specifying ``--dh`` at all."},{"line_number":182,"context_line":""},{"line_number":183,"context_line":"  Set ``file`` to :code:`auto` enables using builtin Diffie Hellman"},{"line_number":184,"context_line":"  parameters of the TLS library, e.g. the ones defined in RFC 7919."},{"line_number":185,"context_line":""},{"line_number":186,"context_line":"  Diffie Hellman parameters can be generated using"}],"source_content_type":"text/x-rst","patch_set":1,"id":"b9aff705_92f37f5f","line":183,"updated":"2025-04-23 11:06:25.000000000","message":"\"Setting\"","commit_id":"304122d0014445218526cf8fe5ac6369759053da"},{"author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"change_message_id":"559b0ce0243d1e96a5e245980e3562b85f49cbfa","unresolved":false,"context_lines":[{"line_number":180,"context_line":"  ECDH TLS cipher suites (e.g. OpenSSL 1.0.1+, or mbed TLS 2.0+). Starting"},{"line_number":181,"context_line":"  with 2.7.0, this is the same as not specifying ``--dh`` at all."},{"line_number":182,"context_line":""},{"line_number":183,"context_line":"  Set ``file`` to :code:`auto` enables using builtin Diffie Hellman"},{"line_number":184,"context_line":"  parameters of the TLS library, e.g. the ones defined in RFC 7919."},{"line_number":185,"context_line":""},{"line_number":186,"context_line":"  Diffie Hellman parameters can be generated using"}],"source_content_type":"text/x-rst","patch_set":1,"id":"0875d49b_2e79eee5","line":183,"in_reply_to":"b9aff705_92f37f5f","updated":"2025-04-25 11:39:02.000000000","message":"Done","commit_id":"304122d0014445218526cf8fe5ac6369759053da"},{"author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"change_message_id":"f488de7c6ec5bf87cf1439b6dfa9797699c5aeb8","unresolved":true,"context_lines":[{"line_number":185,"context_line":""},{"line_number":186,"context_line":"  Diffie Hellman parameters can be generated using"},{"line_number":187,"context_line":"  ``openssl dhparam -out dh2048.pem 2048`` but it is recommended to"},{"line_number":188,"context_line":"  use the public well-known parameter or using ``none``."},{"line_number":189,"context_line":"  Diffie Hellman parameters may be considered public."},{"line_number":190,"context_line":""},{"line_number":191,"context_line":"--ecdh-curve name"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7b830145_762c2aad","line":188,"updated":"2025-04-23 11:06:25.000000000","message":"\"parameters\"","commit_id":"304122d0014445218526cf8fe5ac6369759053da"},{"author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"change_message_id":"559b0ce0243d1e96a5e245980e3562b85f49cbfa","unresolved":false,"context_lines":[{"line_number":185,"context_line":""},{"line_number":186,"context_line":"  Diffie Hellman parameters can be generated using"},{"line_number":187,"context_line":"  ``openssl dhparam -out dh2048.pem 2048`` but it is recommended to"},{"line_number":188,"context_line":"  use the public well-known parameter or using ``none``."},{"line_number":189,"context_line":"  Diffie Hellman parameters may be considered public."},{"line_number":190,"context_line":""},{"line_number":191,"context_line":"--ecdh-curve name"}],"source_content_type":"text/x-rst","patch_set":1,"id":"24f9ab7c_0d7f8e5e","line":188,"in_reply_to":"7b830145_762c2aad","updated":"2025-04-25 11:39:02.000000000","message":"Done","commit_id":"304122d0014445218526cf8fe5ac6369759053da"},{"author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"change_message_id":"559b0ce0243d1e96a5e245980e3562b85f49cbfa","unresolved":true,"context_lines":[{"line_number":176,"context_line":""},{"line_number":177,"context_line":"  Set ``file`` to :code:`none` to disable Diffie Hellman key exchange (and"},{"line_number":178,"context_line":"  use ECDH or newer hybrid key agreement algorithms like X25519MLKEM768)."},{"line_number":179,"context_line":"  Note that this requires peers to be using an SSL library that supports"},{"line_number":180,"context_line":"  ECDH TLS cipher suites (e.g. OpenSSL 1.0.1+, or mbed TLS 2.0+). Starting"},{"line_number":181,"context_line":"  with 2.7.0, this is the same as not specifying ``--dh`` at all."},{"line_number":182,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"46dda9bc_dd7a8286","line":179,"updated":"2025-04-25 11:39:02.000000000","message":"\"to use\" instead of \"to be using\". While not incorrect I think it sounds clunky.","commit_id":"665e87ae4d41cb879bc2f3c644e01ec46a11262c"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"c4eb4a4e1e00759908e3aa8dbffd110455a15bd9","unresolved":false,"context_lines":[{"line_number":176,"context_line":""},{"line_number":177,"context_line":"  Set ``file`` to :code:`none` to disable Diffie Hellman key exchange (and"},{"line_number":178,"context_line":"  use ECDH or newer hybrid key agreement algorithms like X25519MLKEM768)."},{"line_number":179,"context_line":"  Note that this requires peers to be using an SSL library that supports"},{"line_number":180,"context_line":"  ECDH TLS cipher suites (e.g. OpenSSL 1.0.1+, or mbed TLS 2.0+). Starting"},{"line_number":181,"context_line":"  with 2.7.0, this is the same as not specifying ``--dh`` at all."},{"line_number":182,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"502502c9_e7a23051","line":179,"in_reply_to":"46dda9bc_dd7a8286","updated":"2025-05-18 20:43:49.000000000","message":"Acknowledged","commit_id":"665e87ae4d41cb879bc2f3c644e01ec46a11262c"},{"author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"change_message_id":"559b0ce0243d1e96a5e245980e3562b85f49cbfa","unresolved":true,"context_lines":[{"line_number":185,"context_line":""},{"line_number":186,"context_line":"  Diffie Hellman parameters can be generated using"},{"line_number":187,"context_line":"  ``openssl dhparam -out dh2048.pem 2048`` but it is recommended to"},{"line_number":188,"context_line":"  use the public well-known parameters or using ``none``."},{"line_number":189,"context_line":"  Diffie Hellman parameters may be considered public."},{"line_number":190,"context_line":""},{"line_number":191,"context_line":"--ecdh-curve name"}],"source_content_type":"text/x-rst","patch_set":2,"id":"ff6311bb_0efb9609","line":188,"updated":"2025-04-25 11:39:02.000000000","message":"\"use\" versus \"using\". Maybe just remove the \"using\"?","commit_id":"665e87ae4d41cb879bc2f3c644e01ec46a11262c"},{"author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"change_message_id":"925d713049da3e5d3ffaf1f1432bfabc97a8384e","unresolved":false,"context_lines":[{"line_number":185,"context_line":""},{"line_number":186,"context_line":"  Diffie Hellman parameters can be generated using"},{"line_number":187,"context_line":"  ``openssl dhparam -out dh2048.pem 2048`` but it is recommended to"},{"line_number":188,"context_line":"  use the public well-known parameters or using ``none``."},{"line_number":189,"context_line":"  Diffie Hellman parameters may be considered public."},{"line_number":190,"context_line":""},{"line_number":191,"context_line":"--ecdh-curve name"}],"source_content_type":"text/x-rst","patch_set":2,"id":"bd4cea1f_e64df6d1","line":188,"in_reply_to":"ff6311bb_0efb9609","updated":"2025-05-02 14:22:30.000000000","message":"Done","commit_id":"665e87ae4d41cb879bc2f3c644e01ec46a11262c"}],"src/openvpn/options.c":[{"author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"change_message_id":"f488de7c6ec5bf87cf1439b6dfa9797699c5aeb8","unresolved":true,"context_lines":[{"line_number":3713,"context_line":"    {"},{"line_number":3714,"context_line":"        if (streq(o-\u003edh_file, \"auto\"))"},{"line_number":3715,"context_line":"        {"},{"line_number":3716,"context_line":"            o-\u003edh_file \u003d \"auto\";"},{"line_number":3717,"context_line":"            /* do not check existence of the \"auto\" file */"},{"line_number":3718,"context_line":"            o-\u003edh_file_inline \u003d true;"},{"line_number":3719,"context_line":"        }"}],"source_content_type":"text/x-csrc","patch_set":1,"id":"c4fa3ce2_91eeefc1","line":3716,"updated":"2025-04-23 11:06:25.000000000","message":"It is already \"auto\", so this seems redundant.","commit_id":"304122d0014445218526cf8fe5ac6369759053da"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"c723bc77c9642669907dfa001c2ec6b74f0c31dc","unresolved":false,"context_lines":[{"line_number":3713,"context_line":"    {"},{"line_number":3714,"context_line":"        if (streq(o-\u003edh_file, \"auto\"))"},{"line_number":3715,"context_line":"        {"},{"line_number":3716,"context_line":"            o-\u003edh_file \u003d \"auto\";"},{"line_number":3717,"context_line":"            /* do not check existence of the \"auto\" file */"},{"line_number":3718,"context_line":"            o-\u003edh_file_inline \u003d true;"},{"line_number":3719,"context_line":"        }"}],"source_content_type":"text/x-csrc","patch_set":1,"id":"1c0a6e2f_dfb427ff","line":3716,"in_reply_to":"c4fa3ce2_91eeefc1","updated":"2025-04-24 11:20:03.000000000","message":"Done","commit_id":"304122d0014445218526cf8fe5ac6369759053da"}],"src/openvpn/ssl.c":[{"author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"change_message_id":"559b0ce0243d1e96a5e245980e3562b85f49cbfa","unresolved":true,"context_lines":[{"line_number":535,"context_line":"    {"},{"line_number":536,"context_line":"        tls_ctx_server_new(new_ctx);"},{"line_number":537,"context_line":""},{"line_number":538,"context_line":"        if (options-\u003edh_file \u0026\u0026 !strcmp(options-\u003edh_file, \"auto\"))"},{"line_number":539,"context_line":"        {"},{"line_number":540,"context_line":"            tls_ctx_use_dh_params_builtin(new_ctx);"},{"line_number":541,"context_line":"        }"}],"source_content_type":"text/x-csrc","patch_set":2,"id":"3cee585a_d672dc5f","line":538,"updated":"2025-04-25 11:39:02.000000000","message":"Any reason not to use streq() here like in options.c?","commit_id":"665e87ae4d41cb879bc2f3c644e01ec46a11262c"},{"author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"change_message_id":"c947912e02eca0438eb44c578b7621ca41c9a556","unresolved":false,"context_lines":[{"line_number":535,"context_line":"    {"},{"line_number":536,"context_line":"        tls_ctx_server_new(new_ctx);"},{"line_number":537,"context_line":""},{"line_number":538,"context_line":"        if (options-\u003edh_file \u0026\u0026 !strcmp(options-\u003edh_file, \"auto\"))"},{"line_number":539,"context_line":"        {"},{"line_number":540,"context_line":"            tls_ctx_use_dh_params_builtin(new_ctx);"},{"line_number":541,"context_line":"        }"}],"source_content_type":"text/x-csrc","patch_set":2,"id":"a5c405c1_29bf9aa8","line":538,"in_reply_to":"3cee585a_d672dc5f","updated":"2025-05-02 14:23:31.000000000","message":"Done","commit_id":"665e87ae4d41cb879bc2f3c644e01ec46a11262c"}]}