From patchwork Mon Feb 21 00:19:33 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frank Lichtenheld X-Patchwork-Id: 2307 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.31.255.6]) by backend41.mail.ord1d.rsapps.net with LMTP id GA3WCYZ1E2JIWAAAqwncew (envelope-from ) for ; Mon, 21 Feb 2022 06:20:38 -0500 Received: from proxy4.mail.iad3b.rsapps.net ([172.31.255.6]) by director7.mail.ord1d.rsapps.net with LMTP id +GRVDIZ1E2LaJwAAovjBpQ (envelope-from ) for ; Mon, 21 Feb 2022 06:20:38 -0500 Received: from smtp16.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy4.mail.iad3b.rsapps.net with LMTPS id oHEZB4Z1E2J1MgAA9crAow (envelope-from ) for ; Mon, 21 Feb 2022 06:20:38 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp16.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=lichtenheld.com X-Suspicious-Flag: YES X-Classification-ID: 4b043150-9308-11ec-a465-5254004ed364-1-1 Received: from [216.105.38.7] ([216.105.38.7:58724] helo=lists.sourceforge.net) by smtp16.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 5E/62-32148-58573126; Mon, 21 Feb 2022 06:20:37 -0500 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1nM6jO-0007XA-Vx; Mon, 21 Feb 2022 11:19:49 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nM6jO-0007X4-0M for openvpn-devel@lists.sourceforge.net; Mon, 21 Feb 2022 11:19:48 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=XWE+MVEgoVCxDz57+Gb0um1BugF7RRSpfC6DkDA9CZg=; b=kfobcMhUi5Qr0GmsNXNg5f6gG+ ji2qZ9GLyIstHJv+8FZQZS8WCpQueHGmhdIkDxLDb/s4pkm6f50V2A33yeAGV/tQ3xPvheabJotmR v/Ecs6JM7dsKWyYHlPAIcB3HD/MDii3ffXInlSCVZ/6tg4DdpY1R/9R+i9QQOD+pCK54=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=XWE+MVEgoVCxDz57+Gb0um1BugF7RRSpfC6DkDA9CZg=; b=B cTCZo24aBUSd8WId5bpGce+cISix+ppAaixXaKAQnwNQWklFzV93DJlW2sYshX84h7uMu8Elsr3ID Q1pOYd1dmRp9RRfu7vFj8l4Elh8clLkYPyHITQIszxlTR+XOfyFSiRx99I7CQ/pSP9jv8Xfq1uSVI tW3A/RFOcgjEcd58=; Received: from mout-p-201.mailbox.org ([80.241.56.171]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1nM6jL-009ruc-CK for openvpn-devel@lists.sourceforge.net; Mon, 21 Feb 2022 11:19:48 +0000 Received: from smtp1.mailbox.org (smtp1.mailbox.org [IPv6:2001:67c:2050:105:465:1:1:0]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-201.mailbox.org (Postfix) with ESMTPS id 4K2KZf26vBz9sRs for ; Mon, 21 Feb 2022 12:19:38 +0100 (CET) From: Frank Lichtenheld To: openvpn-devel@lists.sourceforge.net Date: Mon, 21 Feb 2022 12:19:33 +0100 Message-Id: <20220221111933.1314-1-frank@lichtenheld.com> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: - Fix various formatting inconsistencies - Explain what NCP means before using it. - Also replace some of the usages of NCP with the clearer "cipher negotiation". Signed-off-by: Frank Lichtenheld --- doc/man-sections/protocol-options.rst | 34 +++++++++++++ 1 file changed, 17 insertions(+), 17 deletions(-) Content analysis details: (-0.7 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [80.241.56.171 listed in wl.mailspike.net] -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [80.241.56.171 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1nM6jL-009ruc-CK Subject: [Openvpn-devel] [PATCH] doc: cleanup for --data-ciphers and related X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox - Fix various formatting inconsistencies - Explain what NCP means before using it. - Also replace some of the usages of NCP with the clearer "cipher negotiation". Signed-off-by: Frank Lichtenheld Acked-By: David Sommerseth --- doc/man-sections/protocol-options.rst | 34 +++++++++++++-------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/doc/man-sections/protocol-options.rst b/doc/man-sections/protocol-options.rst index 1c6b1200..4af65983 100644 --- a/doc/man-sections/protocol-options.rst +++ b/doc/man-sections/protocol-options.rst @@ -73,7 +73,7 @@ configured in a compatible way between both the local and remote side. Starting with 2.6.0, this option is always ignored in TLS mode when it comes to configuring the cipher and will only control the cipher for ``--secret`` pre-shared-key mode (note: this mode is - deprecated strictly not recommended). + deprecated and strictly not recommended). If you wish to specify the cipher to use on the data channel, please see ``--data-ciphers`` (for regular negotiation) and @@ -87,8 +87,8 @@ configured in a compatible way between both the local and remote side. Set ``alg`` to :code:`none` to disable encryption. --compress algorithm - **DEPRECATED** Enable a compression algorithm. Compression is generally - not recommended. VPN tunnels which use compression are susceptible to + **DEPRECATED** Enable a compression algorithm. Compression is generally + not recommended. VPN tunnels which use compression are susceptible to the VORALCE attack vector. See also the :code:`migrate` parameter below. The ``algorithm`` parameter may be :code:`lzo`, :code:`lz4`, @@ -191,7 +191,8 @@ configured in a compatible way between both the local and remote side. For servers, the first cipher from ``cipher-list`` that is also supported by the client will be pushed to clients that support cipher - negotiation. + negotiation. (That feature is also called ``Negotiable crypto parameters`` + or ``NCP`` for short). Starting with OpenVPN 2.6 a cipher can be prefixed with a :code:`?` to mark it as optional. This allows including ciphers in the list that may not be @@ -201,25 +202,25 @@ configured in a compatible way between both the local and remote side. supports it. Cipher negotiation is enabled in client-server mode only. I.e. if - ``--mode`` is set to 'server' (server-side, implied by setting + ``--mode`` is set to `server` (server-side, implied by setting ``--server`` ), or if ``--pull`` is specified (client-side, implied by - setting --client). + setting ``--client``). If no common cipher is found during cipher negotiation, the connection is terminated. To support old clients/old servers that do not provide any cipher negotiation support see ``--data-ciphers-fallback``. - Additionally, to allow for more smooth transition, if NCP is enabled, + Additionally, to allow for more smooth transition, if ciper negotiation is enabled, OpenVPN will inherit the cipher of the peer if that cipher is different from the local ``--cipher`` setting, but the peer cipher is one of the ciphers specified in ``--data-ciphers``. E.g. a non-NCP client (<=v2.3, - or with --ncp-disabled set) connecting to a NCP server (v2.4+) with + or 2.4/2.5 with ``--ncp-disabled`` set) connecting to a NCP server (v2.4+) with ``--cipher BF-CBC`` and ``--data-ciphers AES-256-GCM:AES-256-CBC`` set can either specify ``--cipher BF-CBC`` or ``--cipher AES-256-CBC`` and both will work. - Note for using NCP with an OpenVPN 2.4 peer: This list must include the - :code:`AES-256-GCM` and :code:`AES-128-GCM` ciphers. + Note for using cipher negoatiation with an OpenVPN 2.4 peer: This list must + include the :code:`AES-256-GCM` and :code:`AES-128-GCM` ciphers. This list is restricted to be 127 chars long after conversion to OpenVPN ciphers. @@ -228,14 +229,13 @@ configured in a compatible way between both the local and remote side. to ``--data-ciphers`` in OpenVPN 2.5 to more accurately reflect its meaning. --data-ciphers-fallback alg + Configure a cipher that is used to fall back to if we could not determine + which cipher the peer is willing to use. - Configure a cipher that is used to fall back to if we could not determine - which cipher the peer is willing to use. - - This option should only be needed to - connect to peers that are running OpenVPN 2.3 and older version, and - have been configured with `--enable-small` - (typically used on routers or other embedded devices). + This option should only be needed to + connect to peers that are running OpenVPN 2.3 or older versions, and + have been configured with ``--enable-small`` + (typically used on routers or other embedded devices). --secret args **DEPRECATED** Enable Static Key encryption mode (non-TLS). Use pre-shared secret