| Message ID | 20230210142712.572303-7-arne@rfc2549.org |
|---|---|
| State | Accepted |
| Headers | show |
| Series | Collections of miscellenaous patches | expand |
On Fri, Feb 10, 2023 at 03:27:10PM +0100, Arne Schwabe wrote: > Newer OpenVPN 3 core versions now allow limited configuration of ciphers: > > // Allow usage of legacy (cipher) algorithm that are no longer considered safe > // This includes BF-CBC, single DES and RC2 private key encryption. > // With OpenSSL 3.0 this also instructs OpenSSL to load the legacy provider. > bool enableLegacyAlgorithms = false; > > // By default modern OpenVPN version (OpenVPN 2.6 and OpenVPN core 3.7) will only allow > // preferred algorithms (AES-GCM, Chacha20-Poly1305) that also work with the newer DCO > // implementations. If this is enabled, we fall back to allowing all algorithms (if these are > // supported by the crypto library) > bool enableNonPreferredDCAlgorithms = false; > > Adjust the man page section accordingly but only really mention the AEAD ciphers > to be always present and that they should be included in the data-ciphers option. > > Signed-off-by: Arne Schwabe <arne@rfc2549.org> > --- > doc/man-sections/cipher-negotiation.rst | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/doc/man-sections/cipher-negotiation.rst b/doc/man-sections/cipher-negotiation.rst > index b07176cd2..66afeb835 100644 > --- a/doc/man-sections/cipher-negotiation.rst > +++ b/doc/man-sections/cipher-negotiation.rst > @@ -42,8 +42,9 @@ options to avoid this behaviour. > OpenVPN 3 clients > ----------------- > Clients based on the OpenVPN 3.x library (https://github.com/openvpn/openvpn3/) > -do not have a configurable ``--ncp-ciphers`` or ``--data-ciphers`` option. Instead > -these clients will announce support for all their supported AEAD ciphers > +do not have a configurable ``--ncp-ciphers`` or ``--data-ciphers`` option. Newer > +version by default will disable legacy AES-CBC, BF-CBC, and, DES-CBC ciphers. "versions" Remove comma in "and," Remove "will" > +These clients will always announce support for all their supported AEAD ciphers > (`AES-256-GCM`, `AES-128-GCM` and in newer versions also `Chacha20-Poly1305`). > > To support OpenVPN 3.x based clients at least one of these ciphers needs to be
Acked-by: Gert Doering <gert@greenie.muc.de> "Seems to make sense". Language fixes from Frank included. Your patch has been applied to the master and release/2.6 branch. commit 4da513d584b4e7521de5a47a95cc27fa8a342fd3 (master) commit cfbfb801e6432382edbbec758335d7c142707206 (release/2.6) Author: Arne Schwabe Date: Fri Feb 10 15:27:10 2023 +0100 Revise the cipher negotiation about OpenVPN3 in the man page Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20230210142712.572303-7-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26226.html Signed-off-by: Gert Doering <gert@greenie.muc.de> -- kind regards, Gert Doering
diff --git a/doc/man-sections/cipher-negotiation.rst b/doc/man-sections/cipher-negotiation.rst index b07176cd2..66afeb835 100644 --- a/doc/man-sections/cipher-negotiation.rst +++ b/doc/man-sections/cipher-negotiation.rst @@ -42,8 +42,9 @@ options to avoid this behaviour. OpenVPN 3 clients ----------------- Clients based on the OpenVPN 3.x library (https://github.com/openvpn/openvpn3/) -do not have a configurable ``--ncp-ciphers`` or ``--data-ciphers`` option. Instead -these clients will announce support for all their supported AEAD ciphers +do not have a configurable ``--ncp-ciphers`` or ``--data-ciphers`` option. Newer +version by default will disable legacy AES-CBC, BF-CBC, and, DES-CBC ciphers. +These clients will always announce support for all their supported AEAD ciphers (`AES-256-GCM`, `AES-128-GCM` and in newer versions also `Chacha20-Poly1305`). To support OpenVPN 3.x based clients at least one of these ciphers needs to be
Newer OpenVPN 3 core versions now allow limited configuration of ciphers: // Allow usage of legacy (cipher) algorithm that are no longer considered safe // This includes BF-CBC, single DES and RC2 private key encryption. // With OpenSSL 3.0 this also instructs OpenSSL to load the legacy provider. bool enableLegacyAlgorithms = false; // By default modern OpenVPN version (OpenVPN 2.6 and OpenVPN core 3.7) will only allow // preferred algorithms (AES-GCM, Chacha20-Poly1305) that also work with the newer DCO // implementations. If this is enabled, we fall back to allowing all algorithms (if these are // supported by the crypto library) bool enableNonPreferredDCAlgorithms = false; Adjust the man page section accordingly but only really mention the AEAD ciphers to be always present and that they should be included in the data-ciphers option. Signed-off-by: Arne Schwabe <arne@rfc2549.org> --- doc/man-sections/cipher-negotiation.rst | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)