As reported in trac #732, the man page text for --cipher is no longer
accurate. Update the text to represent current knowledge, about NCP and
SWEET32.
This does not hint at changing the default cipher, because we did not make
a decision on that yet. If we do change the default cipher, we'll have to
update the text to reflect that.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1473605477-20908-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12440.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -3910,22 +3910,14 @@ Encrypt data channel packets with cipher algorithm |
3910 | 3910 |
The default is |
3911 | 3911 |
.B BF-CBC, |
3912 | 3912 |
an abbreviation for Blowfish in Cipher Block Chaining mode. |
3913 |
-Blowfish has the advantages of being fast, very secure, and allowing key sizes |
|
3914 |
-of up to 448 bits. Blowfish is designed to be used in situations where |
|
3915 |
-keys are changed infrequently. |
|
3916 | 3913 |
|
3917 |
-For more information on blowfish, see |
|
3918 |
-.I http://www.counterpane.com/blowfish.html |
|
3914 |
+Using BF-CBC is no longer recommended, because of it's 64-bit block size. This |
|
3915 |
+small block size allows attacks based on collisions, as demonstrated by SWEET32. |
|
3919 | 3916 |
|
3920 |
-To see other ciphers that are available with |
|
3921 |
-OpenVPN, use the |
|
3917 |
+To see other ciphers that are available with OpenVPN, use the |
|
3922 | 3918 |
.B \-\-show\-ciphers |
3923 | 3919 |
option. |
3924 | 3920 |
|
3925 |
-OpenVPN supports the CBC, CFB, and OFB cipher modes, |
|
3926 |
-however CBC is recommended and CFB and OFB should |
|
3927 |
-be considered advanced modes. |
|
3928 |
- |
|
3929 | 3921 |
Set |
3930 | 3922 |
.B alg=none |
3931 | 3923 |
to disable encryption. |