From: Arne Schwabe <arne@rfc2549.org>
Date: Mon, 13 Dec 2021 15:09:50 +0000 (+0100)
Subject: Move deprecation of SWEET32/64bit block size ciphers to 2.7
X-Git-Tag: v2.5.5~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4e5e687fb63bb8cb72862c33775e88dec844c136;p=thirdparty%2Fopenvpn.git

Move deprecation of SWEET32/64bit block size ciphers to 2.7

We originally wanted to deprecated these ciphers (especially BF-CBC) with
2.6 but currently these ciphers are still too widespread to make this
transition for 2.6.

Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211213150950.3993881-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23402.html

Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 7f2d7dbf986fd7233eabb250b35bf7c3112d3e37)
---

diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 619cd967d..6945cc0f8 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -729,7 +729,7 @@ warn_insecure_key_type(const char *ciphername, const cipher_kt_t *cipher)
             " bit (%d bit).  This allows attacks like SWEET32.  Mitigate by "
             "using a --cipher with a larger block size (e.g. AES-256-CBC). "
             "Support for these insecure ciphers will be removed in "
-            "OpenVPN 2.6.",
+            "OpenVPN 2.7.",
             ciphername, cipher_kt_block_size(cipher)*8);
     }
 }