[Openvpn-devel] Adjust cipher-negotiation.rst with compat-mode changes

Message ID 20211202135124.2598645-1-arne@rfc2549.org
State Superseded
Headers show
Series
  • [Openvpn-devel] Adjust cipher-negotiation.rst with compat-mode changes
Related show

Commit Message

Arne Schwabe Dec. 2, 2021, 1:51 p.m.
This explains that 2.6 will ignore --cipher without --compat-mode and
restructures the whole paragraph to better readable.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
 doc/man-sections/cipher-negotiation.rst | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

Comments

Frank Lichtenheld Dec. 3, 2021, 4:24 p.m. | #1
> Arne Schwabe <arne@rfc2549.org> hat am 02.12.2021 14:51 geschrieben:
> -OpenVPN 2.5 will only allow the ciphers specified in ``--data-ciphers``. To ensure
> -backwards compatibility also if a cipher is specified using the ``--cipher`` option
> -it is automatically added to this list. If both options are unset the default is
> -:code:`AES-256-GCM:AES-128-GCM`. In 2.6 and later the default is changed to
> +OpenVPN 2.5 and higher will only allow the ciphers specified in ``--data-ciphers``.

"and later" instead of "and higher" to be consistent?

> + If ``--data-ciphers`` is not set the default is :code:`AES-256-GCM:AES-128-GCM`.
> +In 2.6 and later the default is changed to
>  :code:`AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305` when Chacha20-Poly1305 is available.
>  
> +For backwards compatibility OpenVPN 2.6.0 and later with ``--compat-mode 2.4.x``
> +(or lower) or OpenVPN 2.5.x will automatically add a cipher specified using the

"and OpenVPN 2.5" instead of "or" sounds better, I think. Why the ".x" here?

> +``--cipher`` option to this list.
> +

Regards,
  Frank

--
Frank Lichtenheld

Patch

diff --git a/doc/man-sections/cipher-negotiation.rst b/doc/man-sections/cipher-negotiation.rst
index 423b5ab6a..6e872962a 100644
--- a/doc/man-sections/cipher-negotiation.rst
+++ b/doc/man-sections/cipher-negotiation.rst
@@ -15,12 +15,15 @@  with a AUTH_FAILED message (as seen in client log):
 
     AUTH: Received control message: AUTH_FAILED,Data channel cipher negotiation failed (no shared cipher)
 
-OpenVPN 2.5 will only allow the ciphers specified in ``--data-ciphers``. To ensure
-backwards compatibility also if a cipher is specified using the ``--cipher`` option
-it is automatically added to this list. If both options are unset the default is
-:code:`AES-256-GCM:AES-128-GCM`. In 2.6 and later the default is changed to
+OpenVPN 2.5 and higher will only allow the ciphers specified in ``--data-ciphers``.
+ If ``--data-ciphers`` is not set the default is :code:`AES-256-GCM:AES-128-GCM`.
+In 2.6 and later the default is changed to
 :code:`AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305` when Chacha20-Poly1305 is available.
 
+For backwards compatibility OpenVPN 2.6.0 and later with ``--compat-mode 2.4.x``
+(or lower) or OpenVPN 2.5.x will automatically add a cipher specified using the
+``--cipher`` option to this list.
+
 OpenVPN 2.4 clients
 -------------------
 The negotiation support in OpenVPN 2.4 was the first iteration of the implementation