ACK. Although I thought that Steffan wrote a patch to include that information we, should really have that in our man page.
Also I think the 64 bit cipher warning is not strong enough: WARNING: this cipher's block size is less than 128 bit (64 bit). Consider using a --cipher with a larger block size. I think we should reference SWEET32 there too. E.g.: WARNING: this cipher's block size is less than 128 bit (64 bit) and susceptible to attacks as SWEET32 (http://community.openvpn.net/openvpn/wiki/SWEET32). Consider using a --cipher with a larger block size. Am 05.10.16 um 14:48 schrieb David Sommerseth: > We should no longer make users believe Blowfish is a 'very secure' cipher. > Update this section to reflect our recommendations after the SWEET32 > announcement. > > Trac: #732 > Signed-off-by: David Sommerseth <dav...@openvpn.net> > --- > doc/openvpn.8 | 14 ++++++++++---- > 1 file changed, 10 insertions(+), 4 deletions(-) > > diff --git a/doc/openvpn.8 b/doc/openvpn.8 > index 2d15944..657985c 100644 > --- a/doc/openvpn.8 > +++ b/doc/openvpn.8 > @@ -4110,14 +4110,20 @@ Encrypt data channel packets with cipher algorithm > The default is > .B BF-CBC, > an abbreviation for Blowfish in Cipher Block Chaining mode. > -Blowfish has the advantages of being fast, very secure, and allowing key > sizes > +Blowfish has the advantages of being fast, and allowing key sizes > of up to 448 bits. Blowfish is designed to be used in situations where > keys are changed infrequently. > > -For more information on blowfish, see > -.I http://www.counterpane.com/blowfish.html > +Blowfish was considered very secure for a long time. But recent attacks > described > +in the SWEET32 discovery makes it very unsuitable. If you depend on Blowfish > +today, at least enable more aggressive renegotiation of the tunnel (set > +.B \-\-reneg-bytes > +to maximum 64MB) and start planning a migration to one of the now > recommended AES > +ciphers. For more information, see: > > -To see other ciphers that are available with > +.I http://community.openvpn.net/openvpn/wiki/SWEET32 > + > +To see all ciphers that are available with > OpenVPN, use the > .B \-\-show\-ciphers > option. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
