diff options
author | Antonio Quartulli | 2021-09-04 11:56:26 +0200 |
---|---|---|
committer | Gert Doering | 2021-09-20 14:30:45 +0200 |
commit | 65f6da8eeb84fbcea357765e13fa73d0169a143c (patch) | |
tree | 9395551348e38e5f5dfa46d294b4ed2f710286df /doc | |
parent | c768ee96b49a3df459f584d6050802312815deec (diff) | |
download | openvpn-65f6da8eeb84fbcea357765e13fa73d0169a143c.zip openvpn-65f6da8eeb84fbcea357765e13fa73d0169a143c.tar.gz |
do not include --cipher value in data-ciphers
The --cipher option has been there since a while, but it became more and
more confusing since the introduction of NCP (data cipher negotiation).
The fallback cipher can now be specified via --data-cipher-fallback,
while the list of accepted ciphers is specified via --data-ciphers.
--cipher can still be used for compatibility reasons, but won't affect
the cipher negotiation.
Adjust manpage to make clear that using --cipher in today's config really
is a thing from the past, and --data-ciphers should be used instead.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210904095629.6273-5-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22799.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/man-sections/generic-options.rst | 2 | ||||
-rw-r--r-- | doc/man-sections/protocol-options.rst | 42 |
2 files changed, 24 insertions, 20 deletions
diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index a8d2457..8b26cd1 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -66,6 +66,8 @@ which mode OpenVPN is configured as. - 2.5.x or lower: ``--allow-compression asym`` is automatically added to the configuration if no other compression options are present. + - 2.4.x or lower: The cipher in ``--cipher`` is appended to + ``--data-ciphers`` --config file Load additional config options from ``file`` where each line corresponds diff --git a/doc/man-sections/protocol-options.rst b/doc/man-sections/protocol-options.rst index 3ae09a5..4125b26 100644 --- a/doc/man-sections/protocol-options.rst +++ b/doc/man-sections/protocol-options.rst @@ -57,26 +57,28 @@ configured in a compatible way between both the local and remote side. http://www.cs.ucsd.edu/users/mihir/papers/hmac.html --cipher alg - This option is deprecated for server-client mode. ``--data-ciphers`` - or possibly `--data-ciphers-fallback`` should be used instead. - - Encrypt data channel packets with cipher algorithm ``alg``. - - The default is :code:`BF-CBC`, an abbreviation for Blowfish in Cipher - Block Chaining mode. When cipher negotiation (NCP) is allowed, - OpenVPN 2.4 and newer on both client and server side will automatically - upgrade to :code:`AES-256-GCM`. See ``--data-ciphers`` for more details - on NCP. - - Using :code:`BF-CBC` is no longer recommended, because of its 64-bit - block size. This small block size allows attacks based on collisions, as - demonstrated by SWEET32. See - https://community.openvpn.net/openvpn/wiki/SWEET32 - for details. Due to this, support for :code:`BF-CBC`, :code:`DES`, - :code:`CAST5`, :code:`IDEA` and :code:`RC2` ciphers will be removed in - OpenVPN 2.6. - - To see other ciphers that are available with OpenVPN, use the + This option should not be used any longer in TLS mode and still + exists for two reasons: + * compatibility with old configurations still carrying it + around; + * allow users connecting to OpenVPN peers older than 2.6.0 + to have ``--cipher`` configured the same way as the remote + counterpart. This can avoid MTU/frame size warnings. + Before 2.4.0, this option was used to select the cipher to be + configured on the data channel, however, later versions usually + ignored this directive in favour of a negotiated cipher. + Starting with 2.6.0, this option is always ignored in TLS mode + when it comes to configuring the cipher and will only control the + cipher for ``--secret`` pre-shared-key mode (note: this mode is + deprecated strictly not recommended). + + If you wish to specify the cipher to use on the data channel, + please see ``--data-ciphers`` (for regular negotiation) and + ``--data-ciphers-fallback`` (for a fallback option when the + negotiation cannot take place because the other peer is old or + has negotiation disabled). + + To see ciphers that are available with OpenVPN, use the ``--show-ciphers`` option. Set ``alg`` to :code:`none` to disable encryption. |