[Openvpn-devel] [PATCH 3/4] Revise the cipher negotiation about OpenVPN3 in the man page

Fri, 10 Feb 2023 06:28:12 -0800 

Newer OpenVPN 3 core versions now allow limited configuration of ciphers:

    // Allow usage of legacy (cipher) algorithm that are no longer considered 
safe
    // This includes BF-CBC, single DES and RC2 private key encryption.
    // With OpenSSL 3.0 this also instructs OpenSSL to load the legacy provider.
    bool enableLegacyAlgorithms = false;

    // By default modern OpenVPN version (OpenVPN 2.6 and OpenVPN core 3.7) 
will only allow
    // preferred algorithms (AES-GCM, Chacha20-Poly1305) that also work with 
the newer DCO
    // implementations. If this is enabled, we fall back to allowing all 
algorithms (if these are
    // supported by the crypto library)
    bool enableNonPreferredDCAlgorithms = false;

Adjust the man page section accordingly but only really mention the AEAD ciphers
to be always present and that they should be included in the data-ciphers 
option.

Signed-off-by: Arne Schwabe <[email protected]>
---
 doc/man-sections/cipher-negotiation.rst | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/doc/man-sections/cipher-negotiation.rst 
b/doc/man-sections/cipher-negotiation.rst
index b07176cd2..66afeb835 100644
--- a/doc/man-sections/cipher-negotiation.rst
+++ b/doc/man-sections/cipher-negotiation.rst
@@ -42,8 +42,9 @@ options to avoid this behaviour.
 OpenVPN 3 clients
 -----------------
 Clients based on the OpenVPN 3.x library (https://github.com/openvpn/openvpn3/)
-do not have a configurable ``--ncp-ciphers`` or ``--data-ciphers`` option. 
Instead
-these clients will announce support for all their supported AEAD ciphers
+do not have a configurable ``--ncp-ciphers`` or ``--data-ciphers`` option. 
Newer
+version by default will disable legacy AES-CBC, BF-CBC, and, DES-CBC ciphers.
+These clients will always announce support for all their supported AEAD ciphers
 (`AES-256-GCM`, `AES-128-GCM` and in newer versions also `Chacha20-Poly1305`).
 
 To support OpenVPN 3.x based clients at least one of these ciphers needs to be
-- 
2.37.1 (Apple Git-137.1)



_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to