docs: Further improve --reneg-bytes and SWEET32 information

There are still some support tickets related to SWEET32 and
our defult enforced --reneg-bytes 64 when using weaker ciphers
(less than 128-bits cipher blocks).  Try to clarify this even
more.

Also fix a few mistakes, saying less than 128-bits and not 128-bits
and less.

Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <1482353691-27088-2-git-send-email-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13662.html

diff --git a/Changes.rst b/Changes.rst
index 3e3aaad6c096b4721e8106a8523c5116d3d0ff87..1c0154c46fb108edcf12f2a3e6bdc318b3ddbcae 100644 (file)
--- a/Changes.rst
+++ b/Changes.rst
@@ -57,10 +57,10 @@ Improved UTF-8 support
 Behavioral changes
 ------------------
 
-- OpenVPN will complain loudly about ciphers with 128-bits block sizes or less
+- OpenVPN will complain loudly about ciphers with block sizes less than 128-bits
 
 - OpenVPN will by default re-negotiate the tunnel after 64MB when used with
-  ciphers using cipher blocks of 128-bits or less
+  ciphers using cipher blocks sizes less than 128-bits
 
 - Remove --enable-password-save option to configure, this is now always enabled
 
@@ -121,7 +121,7 @@ Version 2.3.13
 
   Ciphers with cipher blocks less than 128 bits will now do a renegotiation
   of the tunnel by default for every 64MB of data.  This behaviour can be
-  overridden by explictly setting --reneg-bytes 0 in the configuration file,
+  overridden by explicitly setting --reneg-bytes 0 in the configuration file,
   however this is HIGHLY discouraged.
 
   This is to reduce the risk for SWEET32 attacks.  The general recommendation

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 7d1a5f8c4ca2c9378ebceae463e6f15e5e846b75..10869608121ad40e2ebc4f51a8cef16527bcedae 100644 (file)
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -4612,11 +4612,18 @@ such as TCP expect this role to be left to them.
 .B \-\-reneg\-bytes n
 Renegotiate data channel key after
 .B n
-bytes sent or received (disabled by default).
+bytes sent or received (disabled by default with an exception, see below).
 OpenVPN allows the lifetime of a key
-to be expressed as a number of bytes encrypted/decrypted, a number of packets, or
-a number of seconds.  A key renegotiation will be forced
+to be expressed as a number of bytes encrypted/decrypted, a number of packets,
+or a number of seconds.  A key renegotiation will be forced
 if any of these three criteria are met by either peer.
+
+If using ciphers with cipher block sizes less than 128-bits, \-\-reneg\-bytes is
+set to 64MB by default, unless it is explicitly disabled by setting the value to
+0, but this is
+.B HIGHLY DISCOURAGED
+as this is designed to add some protection against the SWEET32 attack vector.
+For more information see the \-\-cipher option.
 .\"*********************************************************
 .TP
 .B \-\-reneg\-pkts n