[Openvpn-devel] Move deprecation of SWEET32/64bit block size ciphers to 2.7

Message ID 20211213150950.3993881-1-arne@rfc2549.org
State Accepted
Headers show
Series
  • [Openvpn-devel] Move deprecation of SWEET32/64bit block size ciphers to 2.7
Related show

Commit Message

Arne Schwabe Dec. 13, 2021, 3:09 p.m.
We originally wanted to deprecated these ciphers (especially BF-CBC) with
2.6 but currently these ciphers are still too widespread to make this
transition for 2.6.
---
 src/openvpn/crypto.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Gert Doering Dec. 13, 2021, 5:45 p.m. | #1
Acked-by: Gert Doering <gert@greenie.muc.de>

As agreed on IRC.  2.6 will already make BF-CBC inconvenient to use
(so, hopefully, more people will migrate off it), but let's not make
it too annoying.

Your patch has been applied to the master branch.

commit 7f2d7dbf986fd7233eabb250b35bf7c3112d3e37
Author: Arne Schwabe
Date:   Mon Dec 13 16:09:50 2021 +0100

     Move deprecation of SWEET32/64bit block size ciphers to 2.7

     Acked-by: Gert Doering <gert@greenie.muc.de>
     Message-Id: <20211213150950.3993881-1-arne@rfc2549.org>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23402.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering
Gert Doering Dec. 13, 2021, 7:22 p.m. | #2
Hi,

On Mon, Dec 13, 2021 at 06:45:55PM +0100, Gert Doering wrote:
> Acked-by: Gert Doering <gert@greenie.muc.de>
> 
> As agreed on IRC.  2.6 will already make BF-CBC inconvenient to use
> (so, hopefully, more people will migrate off it), but let's not make
> it too annoying.
> 
> Your patch has been applied to the master branch.

... and release/2.5

> commit 7f2d7dbf986fd7233eabb250b35bf7c3112d3e37
  commit 4e5e687fb63bb8cb72862c33775e88dec844c136 (HEAD -> release/2.5)

> Author: Arne Schwabe
> Date:   Mon Dec 13 16:09:50 2021 +0100
> 
>      Move deprecation of SWEET32/64bit block size ciphers to 2.7
> 
>      Acked-by: Gert Doering <gert@greenie.muc.de>
>      Message-Id: <20211213150950.3993881-1-arne@rfc2549.org>
>      URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23402.html
>      Signed-off-by: Gert Doering <gert@greenie.muc.de>
> 
> 
> --
> kind regards,
> 
> Gert Doering
> 
> 
> 
> _______________________________________________
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>

Patch

diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 36f880433..c4cf72a55 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -721,7 +721,7 @@  warn_insecure_key_type(const char *ciphername)
             " bit (%d bit).  This allows attacks like SWEET32.  Mitigate by "
             "using a --cipher with a larger block size (e.g. AES-256-CBC). "
             "Support for these insecure ciphers will be removed in "
-            "OpenVPN 2.6.",
+            "OpenVPN 2.7.",
             ciphername, cipher_kt_block_size(ciphername)*8);
     }
 }