From: Steffan Karger Date: Sun, 11 Sep 2016 14:50:31 +0000 (+0200) Subject: Update cipher-related man page text X-Git-Tag: v2.4_alpha1~18 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5a1daf533ae283e258732260c96461e820e61fe6;p=thirdparty%2Fopenvpn.git Update cipher-related man page text As reported in trac #732, the man page text for --cipher is no longer accurate. Update the text to represent current knowledge, about NCP and SWEET32. This does not hint at changing the default cipher, because we did not make a decision on that yet. If we do change the default cipher, we'll have to update the text to reflect that. Signed-off-by: Steffan Karger Acked-by: Gert Doering Message-Id: <1473605431-20842-1-git-send-email-steffan@karger.me> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12439.html Signed-off-by: Gert Doering --- diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 2d159440d..1c341ae7d 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -4110,25 +4110,26 @@ Encrypt data channel packets with cipher algorithm The default is .B BF-CBC, an abbreviation for Blowfish in Cipher Block Chaining mode. -Blowfish has the advantages of being fast, very secure, and allowing key sizes -of up to 448 bits. Blowfish is designed to be used in situations where -keys are changed infrequently. -For more information on blowfish, see -.I http://www.counterpane.com/blowfish.html +Using BF-CBC is no longer recommended, because of it's 64-bit block size. This +small block size allows attacks based on collisions, as demonstrated by SWEET32. -To see other ciphers that are available with -OpenVPN, use the +To see other ciphers that are available with OpenVPN, use the .B \-\-show\-ciphers option. -OpenVPN supports the CBC, CFB, and OFB cipher modes, -however CBC is recommended and CFB and OFB should -be considered advanced modes. - Set .B alg=none to disable encryption. + +As of OpenVPN 2.4, cipher negotiation (NCP) can override the cipher specified by +.B \-\-cipher\fR. +See +.B \-\-ncp-ciphers +and +.B \-\-ncp-disable +for more on NCP. + .\"********************************************************* .TP .B \-\-ncp\-ciphers cipher_list @@ -4141,6 +4142,19 @@ is a colon-separated list of ciphers, and defaults to For servers, the first cipher from .B cipher_list will be pushed to clients that support cipher negotiation. + +Cipher negotiation is enabled in client-server mode only. I.e. if +.B \-\-mode +is set to 'server' (server-side, implied by setting +.B \-\-server +), or if +.B \-\-pull +is specified (client-side, implied by setting \-\-client). + +If both peers support and do not disable NCP, the negotiated cipher will +override the cipher specified by +.B \-\-cipher\fR. + .\"********************************************************* .TP .B \-\-ncp\-disable