From: Steffan Karger Date: Sun, 11 Sep 2016 14:51:17 +0000 (+0200) Subject: Update cipher-related man page text X-Git-Tag: contains~6 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=db6cdf90b1c0696b93a551aab7c9c9925c6774df;p=thirdparty%2Fopenvpn.git Update cipher-related man page text As reported in trac #732, the man page text for --cipher is no longer accurate. Update the text to represent current knowledge, about NCP and SWEET32. This does not hint at changing the default cipher, because we did not make a decision on that yet. If we do change the default cipher, we'll have to update the text to reflect that. Signed-off-by: Steffan Karger Acked-by: Gert Doering Message-Id: <1473605477-20908-1-git-send-email-steffan@karger.me> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12440.html Signed-off-by: Gert Doering --- diff --git a/doc/openvpn.8 b/doc/openvpn.8 index f30cf380c..70573dacb 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -3910,22 +3910,14 @@ Encrypt data channel packets with cipher algorithm The default is .B BF-CBC, an abbreviation for Blowfish in Cipher Block Chaining mode. -Blowfish has the advantages of being fast, very secure, and allowing key sizes -of up to 448 bits. Blowfish is designed to be used in situations where -keys are changed infrequently. -For more information on blowfish, see -.I http://www.counterpane.com/blowfish.html +Using BF-CBC is no longer recommended, because of it's 64-bit block size. This +small block size allows attacks based on collisions, as demonstrated by SWEET32. -To see other ciphers that are available with -OpenVPN, use the +To see other ciphers that are available with OpenVPN, use the .B \-\-show\-ciphers option. -OpenVPN supports the CBC, CFB, and OFB cipher modes, -however CBC is recommended and CFB and OFB should -be considered advanced modes. - Set .B alg=none to disable encryption.