From patchwork Mon Mar 25 07:15:20 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 3667 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:c315:b0:55c:c090:46f0 with SMTP id jk21csp2272560mab; Mon, 25 Mar 2024 00:15:58 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWfpcv6/HNx4Wv+b+5XytpJSgxs4puGolXKZHhdXHd/+N5Mo8xQf98ssM6TfHCAXCVpKXrFEVqPviNgDypT2KqeE5jbV98= X-Google-Smtp-Source: AGHT+IEvLPgFUVZaj/kSU3UTHkt4eP+i6WMbWahOSf4FJSe7YfulFlW4sKQvJvijWBDMOxkSMBEj X-Received: by 2002:a05:6a00:2d02:b0:6ea:88a2:af80 with SMTP id fa2-20020a056a002d0200b006ea88a2af80mr9119490pfb.1.1711350958435; Mon, 25 Mar 2024 00:15:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1711350958; cv=none; d=google.com; s=arc-20160816; b=pXeRMqg/8JRer+4Q+p3j40nYxVCM4BKeWN9JSTAcZ57b2Ylq9IsejMmMMSmAhHIp0K hgQ3O3xHl5/sme9vbKL8Ckpzr/a7k+ZN7GWktRUkAAVPjrc30g8UGUQbRuIDfjcH5OgC S1mMYTwwXgLO28NoaRyTtapRrOBdhYYokuGJmejYl3vHwJE0gQZdoTB0rptEvBVB3ltT P7enAKufVYTYKEI+GozcbuhJ+n4oX8Pgk5wNkJFJ8k2pY2TX55CeW+wL234w75+oE+eg e85/j7OBT9Ty4PLfjmuJUaT4VZQ895KodLEexdRAQ5dB0mCtSune6yoCWstyJ2qAMAjj 1KCQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=0zQWLU9sGWibyewNKkIc3Eimhr1x9yIIHmOhsp6bV24=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=jj5N19h5+87jLPN60m4rVF3thb0y7VSWa9Y9PGFM174/1EguW2or0JuYDxoNGh88NZ kNH4aOQzCbpbExi/CSifqbWLr91IxBSyeseii7K3+Z3c5QjvpbVmaoxQIP3nMpzflCP5 OnVjwlW5qU/HSB1Cl7Wnfonbs6ORof/Ju7ABIPDEYGUtf7Rf1Ah5oguTuSYY2SsBYlxs q45H+LJy0QSP0qkPJ12xPxfDzKXU3AR6FfQFeIgvoxsTgFtlilyo5W2oJTjaQinHxCAS i0Eo7fmJiUf27183d3eSXfn84GSYkvXfxb3kU6m0vjcdLbh1YrvM7uDLgTUDAPwOjhdj FtKQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="kZy0jQ/9"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=d1zaZVlo; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id it20-20020a056a00459400b006e63f027285si4598995pfb.19.2024.03.25.00.15.58 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 25 Mar 2024 00:15:58 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="kZy0jQ/9"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=d1zaZVlo; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1roeYN-0001Zo-1w; Mon, 25 Mar 2024 07:15:31 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1roeYJ-0001ZP-Nr for openvpn-devel@lists.sourceforge.net; Mon, 25 Mar 2024 07:15:28 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=3wtPo/oqix2kiihrL82Lv+DWN98RINLn9mISaOk/Diw=; b=kZy0jQ/9ebE29kpvDKkTfMp/A4 YeA2qQFcyXNPryOwkuWegcrJPDpc38o7p8nQBALwr8CXFfbpikpXz10dnXtdiGfYtbO7mMY9PLh72 gSCbgpigQuGx7Hvq6R3EpA+YHvfx0D4FNqtKJt0MmYtll3lz7kV5iZ7IJtpcLwtjijMg=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=3wtPo/oqix2kiihrL82Lv+DWN98RINLn9mISaOk/Diw=; b=d1zaZVlohW5ho8cs08WeaHRwP3 uiIjus2izdCDyNxKv3aLaJWdAi/kGk+K/SXlvfZgI/q7GvFmjGmGpNoc3s3JqYzSG0Egt4tU5g3Ou EpqfiUKip6uz0mvRBxUCObrK1SQMRuytj5N54ET/0F3OAIa05aIouHTqVRaH690AHXVM=; Received: from dhcp-174.greenie.muc.de ([193.149.48.174] helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1roeYJ-0000gD-5X for openvpn-devel@lists.sourceforge.net; Mon, 25 Mar 2024 07:15:28 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 42P7FKIX012527 for ; Mon, 25 Mar 2024 08:15:20 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 42P7FK59012526 for openvpn-devel@lists.sourceforge.net; Mon, 25 Mar 2024 08:15:20 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Mon, 25 Mar 2024 08:15:20 +0100 Message-ID: <20240325071520.12513-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.43.2 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: -0.0 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Frank Lichtenheld Previously the sections "Encryption Options" and "Data channel cipher negotiation" were on the same level as "OPTIONS", which makes no sense. Instead move them and their subsections one level down. Content analysis details: (-0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record X-Headers-End: 1roeYJ-0000gD-5X Subject: [Openvpn-devel] [PATCH v2] documentation: make section levels consistent X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1794481542620062226?= X-GMAIL-MSGID: =?utf-8?q?1794481542620062226?= From: Frank Lichtenheld Previously the sections "Encryption Options" and "Data channel cipher negotiation" were on the same level as "OPTIONS", which makes no sense. Instead move them and their subsections one level down. Use ` since that was already in use in section "Virtual Routing and Forwarding". Change-Id: Ib5a7f9a978bda5ad58830e43580232660401f66d Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/527 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/doc/man-sections/cipher-negotiation.rst b/doc/man-sections/cipher-negotiation.rst index 949ff86..1285e82 100644 --- a/doc/man-sections/cipher-negotiation.rst +++ b/doc/man-sections/cipher-negotiation.rst @@ -1,12 +1,12 @@ Data channel cipher negotiation -=============================== +------------------------------- OpenVPN 2.4 and higher have the capability to negotiate the data cipher that is used to encrypt data packets. This section describes the mechanism in more detail and the different backwards compatibility mechanism with older server and clients. OpenVPN 2.5 and later behaviour --------------------------------- +``````````````````````````````` When both client and server are at least running OpenVPN 2.5, that the order of the ciphers of the server's ``--data-ciphers`` is used to pick the data cipher. That means that the first cipher in that list that is also in the client's @@ -25,7 +25,7 @@ ``--cipher`` option to this list. OpenVPN 2.4 clients -------------------- +``````````````````` The negotiation support in OpenVPN 2.4 was the first iteration of the implementation and still had some quirks. Its main goal was "upgrade to AES-256-GCM when possible". An OpenVPN 2.4 client that is built against a crypto library that supports AES in GCM @@ -40,7 +40,7 @@ options to avoid this behaviour. OpenVPN 3 clients ------------------ +````````````````` Clients based on the OpenVPN 3.x library (https://github.com/openvpn/openvpn3/) do not have a configurable ``--ncp-ciphers`` or ``--data-ciphers`` option. Newer versions by default disable legacy AES-CBC, BF-CBC, and DES-CBC ciphers. @@ -52,7 +52,7 @@ OpenVPN 2.3 and older clients (and clients with ``--ncp-disable``) ------------------------------------------------------------------- +`````````````````````````````````````````````````````````````````` When a client without cipher negotiation support connects to a server the cipher specified with the ``--cipher`` option in the client configuration must be included in the ``--data-ciphers`` option of the server to allow @@ -65,7 +65,7 @@ cipher used by the client is necessary. OpenVPN 2.4 server ------------------- +`````````````````` When a client indicates support for `AES-128-GCM` and `AES-256-GCM` (with ``IV_NCP=2``) an OpenVPN 2.4 server will send the first cipher of the ``--ncp-ciphers`` to the OpenVPN client regardless of what @@ -76,7 +76,7 @@ those ciphers are present. OpenVPN 2.3 and older servers (and servers with ``--ncp-disable``) ------------------------------------------------------------------- +`````````````````````````````````````````````````````````````````` The cipher used by the server must be included in ``--data-ciphers`` to allow the client connecting to a server without cipher negotiation support. @@ -89,7 +89,7 @@ cipher used by the server is necessary. Blowfish in CBC mode (BF-CBC) deprecation ------------------------------------------- +````````````````````````````````````````` The ``--cipher`` option defaulted to `BF-CBC` in OpenVPN 2.4 and older version. The default was never changed to ensure backwards compatibility. In OpenVPN 2.5 this behaviour has now been changed so that if the ``--cipher`` diff --git a/doc/man-sections/encryption-options.rst b/doc/man-sections/encryption-options.rst index 3b26782..49385d6 100644 --- a/doc/man-sections/encryption-options.rst +++ b/doc/man-sections/encryption-options.rst @@ -1,8 +1,8 @@ Encryption Options -================== +------------------ SSL Library information ------------------------ +``````````````````````` --show-ciphers (Standalone) Show all cipher algorithms to use with the ``--cipher`` @@ -32,7 +32,7 @@ ``--ecdh-curve`` and ``tls-groups`` options. Generating key material ------------------------ +``````````````````````` --genkey args (Standalone) Generate a key to be used of the type keytype. if keyfile diff --git a/doc/man-sections/pkcs11-options.rst b/doc/man-sections/pkcs11-options.rst index de1662b..dfc27af 100644 --- a/doc/man-sections/pkcs11-options.rst +++ b/doc/man-sections/pkcs11-options.rst @@ -1,5 +1,5 @@ PKCS#11 / SmartCard options ---------------------------- +``````````````````````````` --pkcs11-cert-private args Set if access to certificate object should be performed after login. diff --git a/doc/man-sections/renegotiation.rst b/doc/man-sections/renegotiation.rst index c548440..1e7c340 100644 --- a/doc/man-sections/renegotiation.rst +++ b/doc/man-sections/renegotiation.rst @@ -1,5 +1,5 @@ Data Channel Renegotiation --------------------------- +`````````````````````````` When running OpenVPN in client/server mode, the data channel will use a separate ephemeral encryption key which is rotated at regular intervals. diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst index 460cecf..de74c0d 100644 --- a/doc/man-sections/tls-options.rst +++ b/doc/man-sections/tls-options.rst @@ -1,5 +1,5 @@ TLS Mode Options ----------------- +```````````````` TLS mode is the most powerful crypto mode of OpenVPN in both security and flexibility. TLS mode works by establishing control and data