Previously the sections "Encryption Options" and
"Data channel cipher negotiation" were on the same
level as "OPTIONS", which makes no sense. Instead
move them and their subsections one level down.
Use ` since that was already in use in section
"Virtual Routing and Forwarding".
Change-Id: Ib5a7f9a978bda5ad58830e43580232660401f66d
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20240325071520.12513-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28453.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Newer OpenVPN 3 core versions now allow limited configuration of ciphers:
// Allow usage of legacy (cipher) algorithm that are no longer
// considered safe
// This includes BF-CBC, single DES and RC2 private key encryption.
// With OpenSSL 3.0 this also instructs OpenSSL to load the legacy
// provider.
bool enableLegacyAlgorithms = false;
// By default modern OpenVPN version (OpenVPN 2.6 and OpenVPN core
// 3.7) will only allow
// preferred algorithms (AES-GCM, Chacha20-Poly1305) that also work
// with the newer DCO
// implementations. If this is enabled, we fall back to allowing all
// algorithms (if these are
// supported by the crypto library)
bool enableNonPreferredDCAlgorithms = false;
Adjust the man page section accordingly but only really mention the AEAD
ciphers to be always present and that they should be included in the
data-ciphers option.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230210142712.572303-7-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26226.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Fix various formatting inconsistencies
- Remove outdated (as of 2.6) information from
--data-ciphers and instead add a link to
cipher negotiation chapter.
- Some drive-by fixes in related code comments
and log messages as I was reading them.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220628080814.745-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24575.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Indentation is wrong and triggers the following:
rst2man.py openvpn.8.rst > openvpn.8
man-sections/cipher-negotiation.rst:20: (WARNING/2) Definition list ends
without a blank line; unexpected unindent.
rst2man.py openvpn-examples.5.rst > openvpn-examples.5
rst2html.py openvpn.8.rst > openvpn.8.html
man-sections/cipher-negotiation.rst:20: (WARNING/2) Definition list ends
without a blank line; unexpected unindent.
Get rid of it.
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220110144013.7233-1-a@unstable.cc>
URL: https://www.mail-archive.com/search?l=mid&q=20220110144013.7233-1-a@unstable.cc
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This explains that 2.6 will ignore --cipher without --compat-mode and
restructures the whole paragraph to better readable.
Patch V2: Adjust grammar, use consistently "and later"
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20211213152529.3995394-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23403.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Most TLS 1.3 libraries inlcude the Chacha20-Poly1305 based cipher suite
beside the AES-GCM based ones int he list of default ciphers suites.
Chacha20-Poly1305 is accepted as good alternative AEAD algorithm to the
AES-GCM algorithm by crypto community.
Follow this and include Chacha20-Poly1305 by default in data-ciphers
when available. This makes picking Chacha20-Poly1305 easier as it only
requires to change server (by changing priority) or client side (removing
AES-GCM from data-ciphers) to change to Chacha20-Poly1305.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210818213354.687736-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22745.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Explain the IV_NCP=2 client situation in 2.4 a bit better.
- Make more clear what exact versions are meant in the old client section
- add a missing - in a heading
Thanks to Richard Bohnhomme for initial proof reading.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200812085412.19178-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20714.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This adds a section in the man page that details the various behaviour
of older client/servers when using OpenVPN 2.5.
Patch V2: Include grammar/spelling fixes from
Richard Bonhomme <tincanteksup@gmail.com>
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200810090032.4220-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20660.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
