[Openvpn-devel] Gently push users towards --data-ciphers in --show-ciphers output

Message ID E1k011A-0002yw-6u@sfs-ml-2.v29.lw.sourceforge.com
State Accepted
Headers show
Series [Openvpn-devel] Gently push users towards --data-ciphers in --show-ciphers output | expand

Commit Message

Steffan Karger July 27, 2020, 1:09 a.m. UTC
Also:
 * fix a typo in the openssl output ("may be use*d*")
 * mention GCM before CBC (we prefer AEAD modes)

Signed-off-by: Steffan Karger <steffan.karger@foxcrypto.com>
---
 src/openvpn/crypto_mbedtls.c |  5 +++--
 src/openvpn/crypto_openssl.c | 10 +++++-----
 2 files changed, 8 insertions(+), 7 deletions(-)

Comments

Arne Schwabe July 27, 2020, 1:33 a.m. UTC | #1
Am 27.07.20 um 13:09 schrieb Steffan Karger:
> Also:
>  * fix a typo in the openssl output ("may be use*d*")
>  * mention GCM before CBC (we prefer AEAD modes)

Looks good and we missed ncp-ciphers there, so I did not catch it in my
rename commit. Thanks

Acked-By: Arne Schwabe <arne@rfc2549.org>

Patch

diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c
index 19a87eb4..fbb1f120 100644
--- a/src/openvpn/crypto_mbedtls.c
+++ b/src/openvpn/crypto_mbedtls.c
@@ -149,8 +149,9 @@  show_available_ciphers(void)
 #ifndef ENABLE_SMALL
     printf("The following ciphers and cipher modes are available for use\n"
            "with " PACKAGE_NAME ".  Each cipher shown below may be used as a\n"
-           "parameter to the --cipher option.  Using a CBC or GCM mode is\n"
-           "recommended.  In static key mode only CBC mode is allowed.\n\n");
+           "parameter to the --data-ciphers (or --cipher) option.  Using a\n"
+           "GCM or CBC mode is recommended.  In static key mode only CBC\n"
+           "mode is allowed.\n\n");
 #endif
 
     while (*ciphers != 0)
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index c47c2f3c..c60d4a54 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -287,11 +287,11 @@  show_available_ciphers(void)
     size_t num_ciphers = 0;
 #ifndef ENABLE_SMALL
     printf("The following ciphers and cipher modes are available for use\n"
-           "with " PACKAGE_NAME ".  Each cipher shown below may be use as a\n"
-           "parameter to the --cipher option.  The default key size is\n"
-           "shown as well as whether or not it can be changed with the\n"
-           "--keysize directive.  Using a CBC or GCM mode is recommended.\n"
-           "In static key mode only CBC mode is allowed.\n\n");
+           "with " PACKAGE_NAME ".  Each cipher shown below may be used as a\n"
+           "parameter to the --data-ciphers (or --cipher) option.  The\n"
+           "default key size is shown as well as whether or not it can be\n"
+           "changed with the --keysize directive.  Using a GCM or CBC mode\n"
+           "is recommended.  In static key mode only CBC mode is allowed.\n\n");
 #endif
 
     for (nid = 0; nid < 10000; ++nid)