From 4da513d584b4e7521de5a47a95cc27fa8a342fd3 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Fri, 10 Feb 2023 15:27:10 +0100 Subject: [PATCH] Revise the cipher negotiation info about OpenVPN3 in the man page Newer OpenVPN 3 core versions now allow limited configuration of ciphers: // Allow usage of legacy (cipher) algorithm that are no longer // considered safe // This includes BF-CBC, single DES and RC2 private key encryption. // With OpenSSL 3.0 this also instructs OpenSSL to load the legacy // provider. bool enableLegacyAlgorithms = false; // By default modern OpenVPN version (OpenVPN 2.6 and OpenVPN core // 3.7) will only allow // preferred algorithms (AES-GCM, Chacha20-Poly1305) that also work // with the newer DCO // implementations. If this is enabled, we fall back to allowing all // algorithms (if these are // supported by the crypto library) bool enableNonPreferredDCAlgorithms = false; Adjust the man page section accordingly but only really mention the AEAD ciphers to be always present and that they should be included in the data-ciphers option. Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20230210142712.572303-7-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26226.html Signed-off-by: Gert Doering --- doc/man-sections/cipher-negotiation.rst | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/doc/man-sections/cipher-negotiation.rst b/doc/man-sections/cipher-negotiation.rst index b07176cd2..888ffa6fe 100644 --- a/doc/man-sections/cipher-negotiation.rst +++ b/doc/man-sections/cipher-negotiation.rst @@ -42,8 +42,9 @@ options to avoid this behaviour. OpenVPN 3 clients ----------------- Clients based on the OpenVPN 3.x library (https://github.com/openvpn/openvpn3/) -do not have a configurable ``--ncp-ciphers`` or ``--data-ciphers`` option. Instead -these clients will announce support for all their supported AEAD ciphers +do not have a configurable ``--ncp-ciphers`` or ``--data-ciphers`` option. Newer +versions by default disable legacy AES-CBC, BF-CBC, and DES-CBC ciphers. +These clients will always announce support for all their supported AEAD ciphers (`AES-256-GCM`, `AES-128-GCM` and in newer versions also `Chacha20-Poly1305`). To support OpenVPN 3.x based clients at least one of these ciphers needs to be -- 2.47.3