| Message ID | 20211202135124.2598645-1-arne@rfc2549.org |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [Openvpn-devel] Adjust cipher-negotiation.rst with compat-mode changes | expand |
> Arne Schwabe <arne@rfc2549.org> hat am 02.12.2021 14:51 geschrieben: > -OpenVPN 2.5 will only allow the ciphers specified in ``--data-ciphers``. To ensure > -backwards compatibility also if a cipher is specified using the ``--cipher`` option > -it is automatically added to this list. If both options are unset the default is > -:code:`AES-256-GCM:AES-128-GCM`. In 2.6 and later the default is changed to > +OpenVPN 2.5 and higher will only allow the ciphers specified in ``--data-ciphers``. "and later" instead of "and higher" to be consistent? > + If ``--data-ciphers`` is not set the default is :code:`AES-256-GCM:AES-128-GCM`. > +In 2.6 and later the default is changed to > :code:`AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305` when Chacha20-Poly1305 is available. > > +For backwards compatibility OpenVPN 2.6.0 and later with ``--compat-mode 2.4.x`` > +(or lower) or OpenVPN 2.5.x will automatically add a cipher specified using the "and OpenVPN 2.5" instead of "or" sounds better, I think. Why the ".x" here? > +``--cipher`` option to this list. > + Regards, Frank -- Frank Lichtenheld
diff --git a/doc/man-sections/cipher-negotiation.rst b/doc/man-sections/cipher-negotiation.rst index 423b5ab6a..6e872962a 100644 --- a/doc/man-sections/cipher-negotiation.rst +++ b/doc/man-sections/cipher-negotiation.rst @@ -15,12 +15,15 @@ with a AUTH_FAILED message (as seen in client log): AUTH: Received control message: AUTH_FAILED,Data channel cipher negotiation failed (no shared cipher) -OpenVPN 2.5 will only allow the ciphers specified in ``--data-ciphers``. To ensure -backwards compatibility also if a cipher is specified using the ``--cipher`` option -it is automatically added to this list. If both options are unset the default is -:code:`AES-256-GCM:AES-128-GCM`. In 2.6 and later the default is changed to +OpenVPN 2.5 and higher will only allow the ciphers specified in ``--data-ciphers``. + If ``--data-ciphers`` is not set the default is :code:`AES-256-GCM:AES-128-GCM`. +In 2.6 and later the default is changed to :code:`AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305` when Chacha20-Poly1305 is available. +For backwards compatibility OpenVPN 2.6.0 and later with ``--compat-mode 2.4.x`` +(or lower) or OpenVPN 2.5.x will automatically add a cipher specified using the +``--cipher`` option to this list. + OpenVPN 2.4 clients ------------------- The negotiation support in OpenVPN 2.4 was the first iteration of the implementation
This explains that 2.6 will ignore --cipher without --compat-mode and restructures the whole paragraph to better readable. Signed-off-by: Arne Schwabe <arne@rfc2549.org> --- doc/man-sections/cipher-negotiation.rst | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-)