From patchwork Fri Feb 16 10:45:44 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "plaisthos (Code Review)" X-Patchwork-Id: 3621 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:a042:b0:554:adf7:68e6 with SMTP id bi2csp950962mab; Fri, 16 Feb 2024 02:46:16 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCUiKDEFtLBd21+6Cz96oI9DRTmXRtZ6YT2ssKQJbuoy7QI4HR/5lujxKrP4WPk0jcbUjPOdesth/AG6W83p7DWNFpBvCbc= X-Google-Smtp-Source: AGHT+IG37h+E4/n2E0LvAroXHPa/b0CMcY+e/vMeqFfAiG6lkIO5TAiB0pm3qjVEFvkNhKCh7hZX X-Received: by 2002:a05:6358:5925:b0:178:9f1d:65e9 with SMTP id g37-20020a056358592500b001789f1d65e9mr1982545rwf.2.1708080376127; Fri, 16 Feb 2024 02:46:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1708080376; cv=none; d=google.com; s=arc-20160816; b=rlWOMeehM9+dIhbUt8QE4S8NDM2v/a4FsBucd0Qu9xsR2ENTYe362OTOXNd4RKvl1c /DjzWpJbj8nH/1ntckx2rmaGjyg1tE/5KJ8zA57KlM/CpAB1W7i6YclEfyO4DyWie4WR Goiu6IiBNnhAfFSJmmUSPy6q32sa8tvroYCOE0KcCP7gH1ndSj6ggOolUC9k2VJl2KME 6o3mhsyvnHya2q/SDoAmfVoJ+Yt6I4lDFoUc8X5xqj0BON9vDO7htME56ojKsxZv7CGc 97hAuTv6r+ZURRJuQC8T/25jR5StS18Wy9YD3f6p7LEtIxGP3GxuGaE8LC/qpecvhFKT GAQA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=+OJxxTjNzaWeJXG0S2TPg+CySiG2xT+Z74Okg7pgRME=; fh=GFP4qDxgyJ2WEPo/oeLZg3Mj4NqvY1j2nTvTt7psNwg=; b=Qur5+HiXtByiw/uFGNnDu+1niOPf6JWyvw7lROfcHkGQfy++ivPHKNBoP1ySufuQrn WD+TU8CUe800cHOhKpjzLWFMyOwFwo9KtPGvpI3EiVuotIJHXFkCr3BEAzV9ejxNkIxh A0H0yLzQAhkWu7pN9XliKDVZ0UoBcXzyHfuDfbCo/fTaeRASLcLxayJy3p3eizr/rLwp 0kbuz+TOCJbuaAlrL8ND5Ayuxzy7/eLoPoFNbTHCotOGwnbU3CbaiTg3fmcjBPFX1/Sv z10rKoKJnEWEorKdDKhVh22K7pxlVs4hvFZ5DFJJDft4MrGb/Ib9zhDXWnMjjtN4+ruX yKYg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=YYXhNPy+; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=UKWTESbG; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=VEEjhjL8; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id u20-20020a656714000000b005d8e2f56d82si2787791pgf.867.2024.02.16.02.46.15 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 16 Feb 2024 02:46:16 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=YYXhNPy+; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=UKWTESbG; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=VEEjhjL8; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1ravjA-0007K5-5H; Fri, 16 Feb 2024 10:45:56 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1ravj9-0007Jt-2K for openvpn-devel@lists.sourceforge.net; Fri, 16 Feb 2024 10:45:55 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=fK8BL+kPIBbGMGdGb1i50/pHMp9sNvdYpPHKV4NZSns=; b=YYXhNPy+7B5wyicBWPglrTUasW R1yhx63lHJxgfQQPioietOxVnnTRG9UhRAIded+XZ+PsneUrXk9vswKjbG5vX/B+hMBSURApniVgZ XBULNvsIOYUoxNOlzJ2K9DWX8dkzNr6WesTOXfpKSwnOiz6EzZYt4q+CGFKfFBxvqpbQ=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=fK8BL+kPIBbGMGdGb1i50/pHMp9sNvdYpPHKV4NZSns=; b=U KWTESbGEAJudfWwgPTLeZTaOciU5QnF+wIfEsg2we5YG5u+EKbIrXMJeZ8hUWrD3TwfBTTBm2a/Z2 x1q9vsxBS62P/nYU3N3rraECF7J745i9GNGswTGuH9rv1DNwRxLhaRt6yFTkp8VlWMWkE6K5fOVpv BFkXhVMJAKBeeHUM=; Received: from mail-wm1-f45.google.com ([209.85.128.45]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1ravj4-0003SL-Gq for openvpn-devel@lists.sourceforge.net; Fri, 16 Feb 2024 10:45:55 +0000 Received: by mail-wm1-f45.google.com with SMTP id 5b1f17b1804b1-40fd72f7125so15217845e9.1 for ; Fri, 16 Feb 2024 02:45:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1708080345; x=1708685145; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=fK8BL+kPIBbGMGdGb1i50/pHMp9sNvdYpPHKV4NZSns=; b=VEEjhjL8TI4/on/1Lp1AUcLKduZn/Ut0cKLQ+wclYUdImm9rkUVI+E8LVq+5+/ISWs Hwa/wm+61s0r1vOczx0lZowI66LYGiSM+aqYVgQ5MDk7I224jMmM9a8fsOekhbavXQjM 5MVupM/Zopsjf80gPh8yQ6h7c/umihXLhadCsX9Fwbc08ZkmdjORBgK+UfFNhj4DI7H0 ciP7XlBy12CbSauDvI2izDQjXdj2g1aew3Z09ZMBGx8EsDxW1bXICZxKlk16qsd84hYj 5w645fefdysdQ4Lus7Hr8U3mQlnRpOFFDHHSVBi1Ako36m5Bwh4pQrMopsxcK90SJjNf W6+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708080345; x=1708685145; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=fK8BL+kPIBbGMGdGb1i50/pHMp9sNvdYpPHKV4NZSns=; b=ofASAqvXLHlv+dij1tf8PSUxNjl3wqpDm9E9yKCgs57LpHvzju6WL+eSNwEbz2j8tq YT9TiABsI4RLNJlbGzMlK53aX7GCrQPnGpHpSWbJqtLGrcH0D7tuK52Ycgm6qftj+nS3 fs8fpfc3+jSrY0sT2pcX7xgoUxfHR5pe6/PrjiJLWJjnjDLKTd8m7gej5TXRDnvuOC27 zxbdb72GlvrABCDf+Gd/wDpc8jj0pDUrGZsKc1w3A1HJW3xcQC802JqkOGCGxYr4udJk hsKlJ7FIDZUc7njXOIUOLN6rJBE/ODlvryWQxnKp/juP+youOGYLHxzH5N1/pH0RzHlG hSWQ== X-Gm-Message-State: AOJu0YyRI9XiTCE/T9ZIwqiVR2TcJwPQPwQlxvc/bd0FFWavtevP5Aq7 poZ8SVWBCNNmT1RXn+EQ85gI3T1J2IDPDPQde+Y2JSZZI7OKOrLfJgUawg6RaN9cHdizD3PfID3 s X-Received: by 2002:adf:a184:0:b0:33d:2013:4ed0 with SMTP id u4-20020adfa184000000b0033d20134ed0mr725451wru.39.1708080345320; Fri, 16 Feb 2024 02:45:45 -0800 (PST) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id ci3-20020a5d5d83000000b0033cf2063052sm1832217wrb.111.2024.02.16.02.45.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 16 Feb 2024 02:45:44 -0800 (PST) From: "flichtenheld (Code Review)" X-Google-Original-From: "flichtenheld (Code Review)" X-Gerrit-PatchSet: 1 Date: Fri, 16 Feb 2024 10:45:44 +0000 To: plaisthos Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: Ib5a7f9a978bda5ad58830e43580232660401f66d X-Gerrit-Change-Number: 527 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: 0b0dc4bda33d9535818e7264d2d58dead03c447b References: Message-ID: <102cdf04fd1bfc4dc0ddd7ebfd354bdd2f00c408-HTML@gerrit.openvpn.net> MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: plaisthos. Hello plaisthos, I'd like you to do a code review. Please visit Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.128.45 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.128.45 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.0 T_SCC_BODY_TEXT_LINE No description available. 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML X-Headers-End: 1ravj4-0003SL-Gq Subject: [Openvpn-devel] [S] Change in openvpn[master]: documentation: make section levels consistent X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: frank@lichtenheld.com, arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1791052088436376544?= X-GMAIL-MSGID: =?utf-8?q?1791052088436376544?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: plaisthos. Hello plaisthos, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/527?usp=email to review the following change. Change subject: documentation: make section levels consistent ...................................................................... documentation: make section levels consistent Previously the sections "Encryption Options" and "Data channel cipher negotiation" were on the same level as "OPTIONS", which makes no sense. Instead move them and their subsections one level down. Use ` since that was already in use in section "Virtual Routing and Forwarding". Change-Id: Ib5a7f9a978bda5ad58830e43580232660401f66d Signed-off-by: Frank Lichtenheld --- M doc/man-sections/cipher-negotiation.rst M doc/man-sections/encryption-options.rst M doc/man-sections/pkcs11-options.rst M doc/man-sections/renegotiation.rst M doc/man-sections/tls-options.rst 5 files changed, 14 insertions(+), 14 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/27/527/1 diff --git a/doc/man-sections/cipher-negotiation.rst b/doc/man-sections/cipher-negotiation.rst index 888ffa6..2a95119 100644 --- a/doc/man-sections/cipher-negotiation.rst +++ b/doc/man-sections/cipher-negotiation.rst @@ -1,12 +1,12 @@ Data channel cipher negotiation -=============================== +------------------------------- OpenVPN 2.4 and higher have the capability to negotiate the data cipher that is used to encrypt data packets. This section describes the mechanism in more detail and the different backwards compatibility mechanism with older server and clients. OpenVPN 2.5 and later behaviour --------------------------------- +``````````````````````````````` When both client and server are at least running OpenVPN 2.5, that the order of the ciphers of the server's ``--data-ciphers`` is used to pick the the data cipher. That means that the first cipher in that list that is also in the client's @@ -25,7 +25,7 @@ ``--cipher`` option to this list. OpenVPN 2.4 clients -------------------- +``````````````````` The negotiation support in OpenVPN 2.4 was the first iteration of the implementation and still had some quirks. Its main goal was "upgrade to AES-256-GCM when possible". An OpenVPN 2.4 client that is built against a crypto library that supports AES in GCM @@ -40,7 +40,7 @@ options to avoid this behaviour. OpenVPN 3 clients ------------------ +````````````````` Clients based on the OpenVPN 3.x library (https://github.com/openvpn/openvpn3/) do not have a configurable ``--ncp-ciphers`` or ``--data-ciphers`` option. Newer versions by default disable legacy AES-CBC, BF-CBC, and DES-CBC ciphers. @@ -52,7 +52,7 @@ OpenVPN 2.3 and older clients (and clients with ``--ncp-disable``) ------------------------------------------------------------------- +`````````````````````````````````````````````````````````````````` When a client without cipher negotiation support connects to a server the cipher specified with the ``--cipher`` option in the client configuration must be included in the ``--data-ciphers`` option of the server to allow @@ -65,7 +65,7 @@ cipher used by the client is necessary. OpenVPN 2.4 server ------------------- +`````````````````` When a client indicates support for `AES-128-GCM` and `AES-256-GCM` (with ``IV_NCP=2``) an OpenVPN 2.4 server will send the first cipher of the ``--ncp-ciphers`` to the OpenVPN client regardless of what @@ -76,7 +76,7 @@ those ciphers are present. OpenVPN 2.3 and older servers (and servers with ``--ncp-disable``) ------------------------------------------------------------------- +`````````````````````````````````````````````````````````````````` The cipher used by the server must be included in ``--data-ciphers`` to allow the client connecting to a server without cipher negotiation support. @@ -89,7 +89,7 @@ cipher used by the server is necessary. Blowfish in CBC mode (BF-CBC) deprecation ------------------------------------------- +````````````````````````````````````````` The ``--cipher`` option defaulted to `BF-CBC` in OpenVPN 2.4 and older version. The default was never changed to ensure backwards compatibility. In OpenVPN 2.5 this behaviour has now been changed so that if the ``--cipher`` diff --git a/doc/man-sections/encryption-options.rst b/doc/man-sections/encryption-options.rst index 3b26782..49385d6 100644 --- a/doc/man-sections/encryption-options.rst +++ b/doc/man-sections/encryption-options.rst @@ -1,8 +1,8 @@ Encryption Options -================== +------------------ SSL Library information ------------------------ +``````````````````````` --show-ciphers (Standalone) Show all cipher algorithms to use with the ``--cipher`` @@ -32,7 +32,7 @@ ``--ecdh-curve`` and ``tls-groups`` options. Generating key material ------------------------ +``````````````````````` --genkey args (Standalone) Generate a key to be used of the type keytype. if keyfile diff --git a/doc/man-sections/pkcs11-options.rst b/doc/man-sections/pkcs11-options.rst index de1662b..dfc27af 100644 --- a/doc/man-sections/pkcs11-options.rst +++ b/doc/man-sections/pkcs11-options.rst @@ -1,5 +1,5 @@ PKCS#11 / SmartCard options ---------------------------- +``````````````````````````` --pkcs11-cert-private args Set if access to certificate object should be performed after login. diff --git a/doc/man-sections/renegotiation.rst b/doc/man-sections/renegotiation.rst index c548440..1e7c340 100644 --- a/doc/man-sections/renegotiation.rst +++ b/doc/man-sections/renegotiation.rst @@ -1,5 +1,5 @@ Data Channel Renegotiation --------------------------- +`````````````````````````` When running OpenVPN in client/server mode, the data channel will use a separate ephemeral encryption key which is rotated at regular intervals. diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst index 460cecf..de74c0d 100644 --- a/doc/man-sections/tls-options.rst +++ b/doc/man-sections/tls-options.rst @@ -1,5 +1,5 @@ TLS Mode Options ----------------- +```````````````` TLS mode is the most powerful crypto mode of OpenVPN in both security and flexibility. TLS mode works by establishing control and data