Browse code
documentation: make section levels consistent
Previously the sections "Encryption Options" and
"Data channel cipher negotiation" were on the same
level as "OPTIONS", which makes no sense. Instead
move them and their subsections one level down.
Use ` since that was already in use in section
"Virtual Routing and Forwarding".
Change-Id: Ib5a7f9a978bda5ad58830e43580232660401f66d
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20240325071520.12513-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28453.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 3fdf5aa04f7b96a3b7110f75306306ac5d7ed5fd)
Frank Lichtenheld authored on 2024/03/25 16:15:20Showing 5 changed files
- doc/man-sections/cipher-negotiation.rst
- doc/man-sections/encryption-options.rst
- doc/man-sections/pkcs11-options.rst
- doc/man-sections/renegotiation.rst
- doc/man-sections/tls-options.rst
| ... | ... |
@@ -1,12 +1,12 @@ |
| 1 | 1 |
Data channel cipher negotiation |
| 2 |
-=============================== |
|
| 2 |
+------------------------------- |
|
| 3 | 3 |
|
| 4 | 4 |
OpenVPN 2.4 and higher have the capability to negotiate the data cipher that |
| 5 | 5 |
is used to encrypt data packets. This section describes the mechanism in more detail and the |
| 6 | 6 |
different backwards compatibility mechanism with older server and clients. |
| 7 | 7 |
|
| 8 | 8 |
OpenVPN 2.5 and later behaviour |
| 9 |
+``````````````````````````````` |
|
| 9 | 10 |
When both client and server are at least running OpenVPN 2.5, that the order of |
| 10 | 11 |
the ciphers of the server's ``--data-ciphers`` is used to pick the data cipher. |
| 11 | 12 |
That means that the first cipher in that list that is also in the client's |
| ... | ... |
@@ -25,7 +25,7 @@ For backwards compatibility OpenVPN 2.6 and later with ``--compat-mode 2.4.x`` |
| 25 | 25 |
``--cipher`` option to this list. |
| 26 | 26 |
|
| 27 | 27 |
OpenVPN 2.4 clients |
| 28 |
+``````````````````` |
|
| 28 | 29 |
The negotiation support in OpenVPN 2.4 was the first iteration of the implementation |
| 29 | 30 |
and still had some quirks. Its main goal was "upgrade to AES-256-GCM when possible". |
| 30 | 31 |
An OpenVPN 2.4 client that is built against a crypto library that supports AES in GCM |
| ... | ... |
@@ -40,7 +40,7 @@ always have the `AES-256-GCM` and `AES-128-GCM` ciphers to the ``--ncp-ciphers`` |
| 40 | 40 |
options to avoid this behaviour. |
| 41 | 41 |
|
| 42 | 42 |
OpenVPN 3 clients |
| 43 |
+````````````````` |
|
| 43 | 44 |
Clients based on the OpenVPN 3.x library (https://github.com/openvpn/openvpn3/) |
| 44 | 45 |
do not have a configurable ``--ncp-ciphers`` or ``--data-ciphers`` option. Newer |
| 45 | 46 |
versions by default disable legacy AES-CBC, BF-CBC, and DES-CBC ciphers. |
| ... | ... |
@@ -52,7 +52,7 @@ included in the server's ``--data-ciphers`` option. |
| 52 | 52 |
|
| 53 | 53 |
|
| 54 | 54 |
OpenVPN 2.3 and older clients (and clients with ``--ncp-disable``) |
| 55 |
+`````````````````````````````````````````````````````````````````` |
|
| 55 | 56 |
When a client without cipher negotiation support connects to a server the |
| 56 | 57 |
cipher specified with the ``--cipher`` option in the client configuration |
| 57 | 58 |
must be included in the ``--data-ciphers`` option of the server to allow |
| ... | ... |
@@ -65,7 +65,7 @@ If the client is 2.3 or older and has been configured with the |
| 65 | 65 |
cipher used by the client is necessary. |
| 66 | 66 |
|
| 67 | 67 |
OpenVPN 2.4 server |
| 68 |
+`````````````````` |
|
| 68 | 69 |
When a client indicates support for `AES-128-GCM` and `AES-256-GCM` |
| 69 | 70 |
(with ``IV_NCP=2``) an OpenVPN 2.4 server will send the first |
| 70 | 71 |
cipher of the ``--ncp-ciphers`` to the OpenVPN client regardless of what |
| ... | ... |
@@ -76,7 +76,7 @@ option is required. OpenVPN 2.5+ will only announce the ``IV_NCP=2`` flag if |
| 76 | 76 |
those ciphers are present. |
| 77 | 77 |
|
| 78 | 78 |
OpenVPN 2.3 and older servers (and servers with ``--ncp-disable``) |
| 79 |
+`````````````````````````````````````````````````````````````````` |
|
| 79 | 80 |
The cipher used by the server must be included in ``--data-ciphers`` to |
| 80 | 81 |
allow the client connecting to a server without cipher negotiation |
| 81 | 82 |
support. |
| ... | ... |
@@ -89,7 +89,7 @@ If the server is 2.3 or older and has been configured with the |
| 89 | 89 |
cipher used by the server is necessary. |
| 90 | 90 |
|
| 91 | 91 |
Blowfish in CBC mode (BF-CBC) deprecation |
| 92 |
+````````````````````````````````````````` |
|
| 92 | 93 |
The ``--cipher`` option defaulted to `BF-CBC` in OpenVPN 2.4 and older |
| 93 | 94 |
version. The default was never changed to ensure backwards compatibility. |
| 94 | 95 |
In OpenVPN 2.5 this behaviour has now been changed so that if the ``--cipher`` |
| ... | ... |
@@ -1,8 +1,8 @@ |
| 1 | 1 |
Encryption Options |
| 2 |
-================== |
|
| 2 |
+------------------ |
|
| 3 | 3 |
|
| 4 | 4 |
SSL Library information |
| 5 |
+``````````````````````` |
|
| 5 | 6 |
|
| 6 | 7 |
--show-ciphers |
| 7 | 8 |
(Standalone) Show all cipher algorithms to use with the ``--cipher`` |
| ... | ... |
@@ -32,7 +32,7 @@ SSL Library information |
| 32 | 32 |
``--ecdh-curve`` and ``tls-groups`` options. |
| 33 | 33 |
|
| 34 | 34 |
Generating key material |
| 35 |
+``````````````````````` |
|
| 35 | 36 |
|
| 36 | 37 |
--genkey args |
| 37 | 38 |
(Standalone) Generate a key to be used of the type keytype. if keyfile |