From patchwork Sat Aug 15 02:05:21 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Magnus Kroken X-Patchwork-Id: 1390 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id yELAJc/PN19TWgAAIUCqbw for ; Sat, 15 Aug 2020 08:06:39 -0400 Received: from proxy8.mail.ord1c.rsapps.net ([172.28.255.1]) by director10.mail.ord1d.rsapps.net with LMTP id MC2lJc/PN1/qEgAApN4f7A (envelope-from ) for ; Sat, 15 Aug 2020 08:06:39 -0400 Received: from smtp20.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy8.mail.ord1c.rsapps.net with LMTP id kBEqJc/PN1+NRAAAHz/atg ; Sat, 15 Aug 2020 08:06:39 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp20.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: c5da91ae-deef-11ea-a2c3-bc305bf03180-1-1 Received: from [216.105.38.7] ([216.105.38.7:57886] helo=lists.sourceforge.net) by smtp20.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 98/56-14820-FCFC73F5; Sat, 15 Aug 2020 08:06:39 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1k6uwj-0007Qt-HA; Sat, 15 Aug 2020 12:06:01 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k6uwg-0007Qa-EI for openvpn-devel@lists.sourceforge.net; Sat, 15 Aug 2020 12:05:58 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=1cz2jgVkCI+nfQ1s14EEN6OFB5vpoThpLSOE0gWA0RI=; b=Oh49LCILuh3/4MO1nIRbT4KwNf 9pFHZMmIeIUYLRCMt80IOzUnKcexTmW86sy174NigRscKTzrnwDh9UbuMY+uHebO1gOv4sStwMZz/ x8tr64K/9fyVyqx8/7lLpBdgr1geEtsOw9azid6bPrbkjZ8Qadon2nSWLDGmmW/+HrFI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=1cz2jgVkCI+nfQ1s14EEN6OFB5vpoThpLSOE0gWA0RI=; b=L6TN1W/ffHtCjANJeGqXWBbOGd yPJzsuz7cYPiHAM6RBa5w5vPBq41JvMBw8gk11nR0hEhhbPgtfvoVZyMXfR3JkqzWuY2wzoaQi/yw NM/37hENT2Rna2J6FSfqISifA8Y2Gg0Vp2169Oy/MeTmOFchJp1BtZH3T6njw6U45sqw=; Received: from mail-wr1-f65.google.com ([209.85.221.65]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.2) id 1k6uwe-00CJVI-Ey for openvpn-devel@lists.sourceforge.net; Sat, 15 Aug 2020 12:05:58 +0000 Received: by mail-wr1-f65.google.com with SMTP id z18so10522911wrm.12 for ; Sat, 15 Aug 2020 05:05:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=1cz2jgVkCI+nfQ1s14EEN6OFB5vpoThpLSOE0gWA0RI=; b=IS0yqxypm49lp/wMOZnSE4s6RovBUdJ4GVQ3Q0QAl6bPKB5d4v1kJSEWwdiqD9V2vf 8uYCfW7M9T2ZUgC5J2hTt80xb+v1bHcrekNRWP9wTcTBao5S5N4ZIfbssnPR/2QzF22A SETV+j0ds9YKXd499vdCYlv7P1Wkz6UCFiuNCjLfJT+T4+bI3gZomQ8RjUEidKugGlwI 0f1zPZFfrN3iUPkf88eXyvxfu+4TqkNTV9Sky7IlCWcMHCFj+SEqOT+KGK3MaVZqJ/0T IAYEvXXW0C3ChkoAj0vkJn4wHoiuiHaIyOdX9Ln2Dg5k7lfDqdmOD2UbVED2e5MzZgp+ MQew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=1cz2jgVkCI+nfQ1s14EEN6OFB5vpoThpLSOE0gWA0RI=; b=ea93nvbBH81QSZjz+43DAv6M0zeG8w7ecYPsmu9v9gUnu2f+E5CnwfBJdOOpvhnCzq oh/RW54jJhq+EHVOemvYCeXuKX2ZDZX/PSXZ9jl3Ri7TAPPUqqmGyOaeB2MDSbcquXqn /kZ5XtNl5TbRBKQBJ2IrDa6MDK6epX81hryV5ZO6TN/Lv3hHjYo7/DMpndPvrNkmby3Z 1szLkfICwNZ1J8Qhs83fCUolmWNct1tdoYBBcaHchlXcVy/sdEonwZmwRmYmMDkxbUEt pd7Xxz1mAk6KsQDp7Upb8ZKPF5q366MtcLd5NGp3PcAnox5aB+GQJh52XUOQS2e7UhfU WGhw== X-Gm-Message-State: AOAM5307L98YGhPXo79Cd7jdKqZNpQldGlk6R21itjl4Ln+ixhowrpie Py0SqzLxrfkXPkCkxN0OIorx4TTzLtg= X-Google-Smtp-Source: ABdhPJx9j8thlvaPTbx0ar8Klddy4dqf3viLwGlKhJLn2os0WaMiE0nGJcgDK7FgKsBdk9oHvb5Mlw== X-Received: by 2002:adf:c401:: with SMTP id v1mr6432095wrf.379.1597493149865; Sat, 15 Aug 2020 05:05:49 -0700 (PDT) Received: from localhost.localdomain (209.89-10-150.nextgentel.com. [89.10.150.209]) by smtp.gmail.com with ESMTPSA id y203sm21542870wmc.29.2020.08.15.05.05.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 15 Aug 2020 05:05:49 -0700 (PDT) From: Magnus Kroken To: openvpn-devel@lists.sourceforge.net Date: Sat, 15 Aug 2020 14:05:21 +0200 Message-Id: <20200815120522.1404-2-mkroken@gmail.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200815120522.1404-1-mkroken@gmail.com> References: <20200815120522.1404-1-mkroken@gmail.com> MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (mkroken[at]gmail.com) -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.221.65 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.221.65 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.2 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1k6uwe-00CJVI-Ey Subject: [Openvpn-devel] [PATCH 1/2] Changes.rst: fix mistyped option names X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Signed-off-by: Magnus Kroken --- Changes.rst | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Changes.rst b/Changes.rst index 0aee3603..f67e1d76 100644 --- a/Changes.rst +++ b/Changes.rst @@ -34,7 +34,7 @@ Improved Data channel cipher negotiation Removal of BF-CBC support in default configuration: By default OpenVPN 2.5 will only accept AES-256-GCM and AES-128-GCM as data ciphers. OpenVPN 2.4 allows AES-256-GCM,AES-128-GCM and BF-CBC when - no --cipher and --ncp-cipher options are present. Accepting BF-CBC can be + no --cipher and --ncp-ciphers options are present. Accepting BF-CBC can be enabled by adding data-ciphers AES-256-GCM:AES-128-GCM:BF-CBC @@ -101,7 +101,7 @@ Linux VRF support TLS 1.3 support TLS 1.3 support has been added to OpenVPN. Currently, this requires OpenSSL 1.1.1+. - The options ``--tls-cipher-suites`` and ``--tls-groups`` have been + The options ``--tls-ciphersuites`` and ``--tls-groups`` have been added to fine tune TLS protocol options. Most of the improvements were also backported to OpenVPN 2.4 as part of the maintainance releases. @@ -112,7 +112,7 @@ Support setting DHCP search domain wintun support yet). Other platforms need to support this via ``--up`` script (Linux) or GUI (OSX/Tunnelblick). -per-client changing of ``--data-cipher`` or ``data-ciphers-fallback`` +per-client changing of ``--data-ciphers`` or ``data-ciphers-fallback`` from client-connect script/dir (NOTE: this only changes preference of ciphers for NCP, but can not override what the client announces as "willing to accept") @@ -213,9 +213,9 @@ User-visible Changes the client configuration almost immediately as result of the faster connection setup feature. -- ``--compression`` is nowadays considered risky, because attacks exist +- ``--compress`` is nowadays considered risky, because attacks exist leveraging compression-inside-crypto to reveal plaintext (VORACLE). So - by default, ``--compression xxx`` will now accept incoming compressed + by default, ``--compress xxx`` will now accept incoming compressed packets (for compatibility with peers that have not been upgraded yet), but will not use compression outgoing packets. This can be controlled with the new option ``--allow-compression yes|no|asym``.