diff options
| author | Arne Schwabe | 2023-02-10 15:27:10 +0100 |
|---|---|---|
| committer | Gert Doering | 2023-02-14 14:42:50 +0100 |
| commit | 4da513d584b4e7521de5a47a95cc27fa8a342fd3 (patch) | |
| tree | f77bd73e7b88836b75012e15a6342584be93a16f | |
| parent | 9719393b7cf94d37f3706ca32c02433e8578599b (diff) | |
| download | openvpn-4da513d584b4e7521de5a47a95cc27fa8a342fd3.zip openvpn-4da513d584b4e7521de5a47a95cc27fa8a342fd3.tar.gz | |
Revise the cipher negotiation info about OpenVPN3 in the man page
Newer OpenVPN 3 core versions now allow limited configuration of ciphers:
// Allow usage of legacy (cipher) algorithm that are no longer
// considered safe
// This includes BF-CBC, single DES and RC2 private key encryption.
// With OpenSSL 3.0 this also instructs OpenSSL to load the legacy
// provider.
bool enableLegacyAlgorithms = false;
// By default modern OpenVPN version (OpenVPN 2.6 and OpenVPN core
// 3.7) will only allow
// preferred algorithms (AES-GCM, Chacha20-Poly1305) that also work
// with the newer DCO
// implementations. If this is enabled, we fall back to allowing all
// algorithms (if these are
// supported by the crypto library)
bool enableNonPreferredDCAlgorithms = false;
Adjust the man page section accordingly but only really mention the AEAD
ciphers to be always present and that they should be included in the
data-ciphers option.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230210142712.572303-7-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26226.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
| -rw-r--r-- | doc/man-sections/cipher-negotiation.rst | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/doc/man-sections/cipher-negotiation.rst b/doc/man-sections/cipher-negotiation.rst index b07176c..888ffa6 100644 --- a/doc/man-sections/cipher-negotiation.rst +++ b/doc/man-sections/cipher-negotiation.rst @@ -42,8 +42,9 @@ options to avoid this behaviour. OpenVPN 3 clients ----------------- Clients based on the OpenVPN 3.x library (https://github.com/openvpn/openvpn3/) -do not have a configurable ``--ncp-ciphers`` or ``--data-ciphers`` option. Instead -these clients will announce support for all their supported AEAD ciphers +do not have a configurable ``--ncp-ciphers`` or ``--data-ciphers`` option. Newer +versions by default disable legacy AES-CBC, BF-CBC, and DES-CBC ciphers. +These clients will always announce support for all their supported AEAD ciphers (`AES-256-GCM`, `AES-128-GCM` and in newer versions also `Chacha20-Poly1305`). To support OpenVPN 3.x based clients at least one of these ciphers needs to be |