From db6cdf90b1c0696b93a551aab7c9c9925c6774df Mon Sep 17 00:00:00 2001 From: Steffan Karger Date: Sun, 11 Sep 2016 16:51:17 +0200 Subject: [PATCH] Update cipher-related man page text As reported in trac #732, the man page text for --cipher is no longer accurate. Update the text to represent current knowledge, about NCP and SWEET32. This does not hint at changing the default cipher, because we did not make a decision on that yet. If we do change the default cipher, we'll have to update the text to reflect that. Signed-off-by: Steffan Karger Acked-by: Gert Doering Message-Id: <1473605477-20908-1-git-send-email-steffan@karger.me> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12440.html Signed-off-by: Gert Doering --- doc/openvpn.8 | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index f30cf380c..70573dacb 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -3910,22 +3910,14 @@ Encrypt data channel packets with cipher algorithm The default is .B BF-CBC, an abbreviation for Blowfish in Cipher Block Chaining mode. -Blowfish has the advantages of being fast, very secure, and allowing key sizes -of up to 448 bits. Blowfish is designed to be used in situations where -keys are changed infrequently. -For more information on blowfish, see -.I http://www.counterpane.com/blowfish.html +Using BF-CBC is no longer recommended, because of it's 64-bit block size. This +small block size allows attacks based on collisions, as demonstrated by SWEET32. -To see other ciphers that are available with -OpenVPN, use the +To see other ciphers that are available with OpenVPN, use the .B \-\-show\-ciphers option. -OpenVPN supports the CBC, CFB, and OFB cipher modes, -however CBC is recommended and CFB and OFB should -be considered advanced modes. - Set .B alg=none to disable encryption. -- 2.47.2