User-visible Changes
--------------------
+- When using ciphers with cipher blocks less than 128-bits
+ OpenVPN will complain loudly if the configuration uses ciphers considered
+ weak, such as the SWEET32 attack vector. In such scenarios, OpenVPN will by
+ default do a renegotiation for each 64MB of transported data (``--reneg-bytes``).
+ This renegotiation can be disabled, but is HIGHLY DISCOURAGED.
+
- For certificate DNs with duplicate fields, e.g. "OU=one,OU=two", both fields
are now exported to the environment, where each second and later occurrence
of a field get _$N appended to it's field name, starting at N=1. For the
.B \-\-reneg\-bytes n
Renegotiate data channel key after
.B n
-bytes sent or received (disabled by default).
+bytes sent or received (disabled by default with an exception, see below).
OpenVPN allows the lifetime of a key
-to be expressed as a number of bytes encrypted/decrypted, a number of packets, or
-a number of seconds. A key renegotiation will be forced
+to be expressed as a number of bytes encrypted/decrypted, a number of packets,
+or a number of seconds. A key renegotiation will be forced
if any of these three criteria are met by either peer.
+
+If using ciphers with cipher block sizes less than 128-bits, \-\-reneg\-bytes is
+set to 64MB by default, unless it is explicitly disabled by setting the value to
+0, but this is
+.B HIGHLY DISCOURAGED
+as this is designed to add some protection against the SWEET32 attack vector.
+For more information see the \-\-cipher option.
.\"*********************************************************
.TP
.B \-\-reneg\-pkts n
projects / thirdparty / openvpn.git / commitdiff
