There are still some support tickets related to SWEET32 and
our defult enforced --reneg-bytes 64 when using weaker ciphers
(less than 128-bits cipher blocks). Try to clarify this even
more.
Also fix a few mistakes, saying less than 128-bits and not 128-bits
and less.
Signed-off-by: David Sommerseth
---
Changes.rst | 6 +++---
doc/openvpn.8 | 13 ++---
2 files changed, 13 insertions(+), 6 deletions(-)
diff --git a/Changes.rst b/Changes.rst
index 3e3aaad..1c0154c 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -57,10 +57,10 @@ Improved UTF-8 support
Behavioral changes
--
-- OpenVPN will complain loudly about ciphers with 128-bits block sizes or less
+- OpenVPN will complain loudly about ciphers with block sizes less than
128-bits
- OpenVPN will by default re-negotiate the tunnel after 64MB when used with
- ciphers using cipher blocks of 128-bits or less
+ ciphers using cipher blocks sizes less than 128-bits
- Remove --enable-password-save option to configure, this is now always enabled
@@ -121,7 +121,7 @@ Version 2.3.13
Ciphers with cipher blocks less than 128 bits will now do a renegotiation
of the tunnel by default for every 64MB of data. This behaviour can be
- overridden by explictly setting --reneg-bytes 0 in the configuration file,
+ overridden by explicitly setting --reneg-bytes 0 in the configuration file,
however this is HIGHLY discouraged.
This is to reduce the risk for SWEET32 attacks. The general recommendation
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 2140733..6063ccd 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -4612,11 +4612,18 @@ such as TCP expect this role to be left to them.
.B \-\-reneg\-bytes n
Renegotiate data channel key after
.B n
-bytes sent or received (disabled by default).
+bytes sent or received (disabled by default with an exception, see below).
OpenVPN allows the lifetime of a key
-to be expressed as a number of bytes encrypted/decrypted, a number of packets,
or
-a number of seconds. A key renegotiation will be forced
+to be expressed as a number of bytes encrypted/decrypted, a number of packets,
+or a number of seconds. A key renegotiation will be forced
if any of these three criteria are met by either peer.
+
+If using ciphers with cipher block sizes less than 128-bits, \-\-reneg\-bytes
is
+set to 64MB by default, unless it is explicitly disabled by setting the value
to
+0,but this is
+.B HIGHLY DISCOURAGED
+as this is designed to add some protection against the SWEET32 attack vector.
+For more information see the \-\-cipher option.
.\"*
.TP
.B \-\-reneg\-pkts n
--
1.8.3.1
--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel