do not include --cipher value in data-ciphers

The --cipher option has been there since a while, but it became more and
more confusing since the introduction of NCP (data cipher negotiation).

The fallback cipher can now be specified via --data-cipher-fallback,
while the list of accepted ciphers is specified via --data-ciphers.

--cipher can still be used for compatibility reasons, but won't affect
the cipher negotiation.

Adjust manpage to make clear that using --cipher in today's config really
is a thing from the past, and --data-ciphers should be used instead.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210904095629.6273-5-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22799.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

2 files changed, 24 insertions, 20 deletions

diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst
index a8d2457..8b26cd1 100644
--- a/doc/man-sections/generic-options.rst
+++ b/doc/man-sections/generic-options.rst
@@ -66,6 +66,8 @@ which mode OpenVPN is configured as.
 
   - 2.5.x or lower: ``--allow-compression asym`` is automatically added
     to the configuration if no other compression options are present.
+  - 2.4.x or lower: The cipher in ``--cipher`` is appended to
+    ``--data-ciphers``
 
 --config file
   Load additional config options from ``file`` where each line corresponds
diff --git a/doc/man-sections/protocol-options.rst b/doc/man-sections/protocol-options.rst
index 3ae09a5..4125b26 100644
--- a/doc/man-sections/protocol-options.rst
+++ b/doc/man-sections/protocol-options.rst
@@ -57,26 +57,28 @@ configured in a compatible way between both the local and remote side.
   http://www.cs.ucsd.edu/users/mihir/papers/hmac.html
 
 --cipher alg
-  This option is deprecated for server-client mode. ``--data-ciphers``
-  or possibly `--data-ciphers-fallback`` should be used instead.
-
-  Encrypt data channel packets with cipher algorithm ``alg``.
-
-  The default is :code:`BF-CBC`, an abbreviation for Blowfish in Cipher
-  Block Chaining mode. When cipher negotiation (NCP) is allowed,
-  OpenVPN 2.4 and newer on both client and server side will automatically
-  upgrade to :code:`AES-256-GCM`.  See ``--data-ciphers`` for more details
-  on NCP.
-
-  Using :code:`BF-CBC` is no longer recommended, because of its 64-bit
-  block size. This small block size allows attacks based on collisions, as
-  demonstrated by SWEET32. See
-  https://community.openvpn.net/openvpn/wiki/SWEET32
-  for details. Due to this, support for :code:`BF-CBC`, :code:`DES`,
-  :code:`CAST5`, :code:`IDEA` and :code:`RC2` ciphers will be removed in
-  OpenVPN 2.6.
-
-  To see other ciphers that are available with OpenVPN, use the
+  This option should not be used any longer in TLS mode and still
+  exists for two reasons:
+      * compatibility with old configurations still carrying it
+	around;
+      * allow users connecting to OpenVPN peers older than 2.6.0
+	to have ``--cipher`` configured the same way as the remote
+	counterpart. This can avoid MTU/frame size warnings.
+  Before 2.4.0, this option was used to select the cipher to be
+  configured on the data channel, however, later versions usually
+  ignored this directive in favour of a negotiated cipher.
+  Starting with 2.6.0, this option is always ignored in TLS mode
+  when it comes to configuring the cipher and will only control the
+  cipher for ``--secret`` pre-shared-key mode (note: this mode is
+  deprecated strictly not recommended).
+
+  If you wish to specify the cipher to use on the data channel,
+  please see ``--data-ciphers`` (for regular negotiation) and
+  ``--data-ciphers-fallback`` (for a fallback option when the
+  negotiation cannot take place because the other peer is old or
+  has negotiation disabled).
+
+  To see ciphers that are available with OpenVPN, use the
   ``--show-ciphers`` option.
 
   Set ``alg`` to :code:`none` to disable encryption.