git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Steffan Karger <steffan.karger@fox-it.com>
	Fri, 28 Oct 2016 11:57:01 +0000 (13:57 +0200)
committer	David Sommerseth <davids@openvpn.net>
	Fri, 28 Oct 2016 12:40:15 +0000 (14:40 +0200)
commit	752caece99a61e516386f94823e82ddf13fcbcab
tree	76fc50454dfcd9a515a37f97872a58d9a586abb0	tree
parent	f93b76398003769685ae1053ec978fffe17f6cd6	commit \| diff

Limit --reneg-bytes to 64MB when using small block ciphers

Following the earlier warning about small block ciphers, now limit the
--reneg-bytes value when using a cipher that susceptible to SWEET32-like
attacks. The 64 MB value has been selected with the researchers who
published the SWEET32 paper.

Note that this will not change a user-set --reneg-bytes value, to allow a
user to align a gun with his feet^w^w^w^w^w^w override this behaviour if
really needed.

v2: obey user-set --reneg-bytes 0 to revert to old behaviour, use more firm
language in warning message, and add URL to man page.

Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1477655821-6711-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12798.html
Signed-off-by: David Sommerseth <davids@openvpn.net>

doc/openvpn.8		diff \| blob \| blame \| history
src/openvpn/crypto.c		diff \| blob \| blame \| history
src/openvpn/options.c		diff \| blob \| blame \| history
src/openvpn/ssl.c		diff \| blob \| blame \| history