Update cipher-related man page text

As reported in trac #732, the man page text for --cipher is no longer
accurate.  Update the text to represent current knowledge, about NCP and
SWEET32.

This does not hint at changing the default cipher, because we did not make
a decision on that yet.  If we do change the default cipher, we'll have to
update the text to reflect that.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1473605477-20908-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12440.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index f30cf380ceb086487b33868b21508732044d3d5d..70573dacb1abdc9db80f664023ee6e6b147e98b9 100644 (file)
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -3910,22 +3910,14 @@ Encrypt data channel packets with cipher algorithm
 The default is
 .B BF-CBC,
 an abbreviation for Blowfish in Cipher Block Chaining mode.
-Blowfish has the advantages of being fast, very secure, and allowing key sizes
-of up to 448 bits.  Blowfish is designed to be used in situations where
-keys are changed infrequently.
 
-For more information on blowfish, see
-.I http://www.counterpane.com/blowfish.html
+Using BF-CBC is no longer recommended, because of it's 64-bit block size.  This
+small block size allows attacks based on collisions, as demonstrated by SWEET32.
 
-To see other ciphers that are available with
-OpenVPN, use the
+To see other ciphers that are available with OpenVPN, use the
 .B \-\-show\-ciphers
 option.
 
-OpenVPN supports the CBC, CFB, and OFB cipher modes,
-however CBC is recommended and CFB and OFB should
-be considered advanced modes.
-
 Set
 .B alg=none
 to disable encryption.