Opened 4 years ago

Closed 4 years ago

#732 closed Bug / Defect (fixed)

manual entry for --cipher

Reported by: krzee king Owned by: David Sommerseth
Priority: trivial Milestone:
Component: Documentation Version: OpenVPN 2.3.12 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description (last modified by krzee king)

from 2.3 manual:
--cipher alg
Encrypt data channel packets with cipher algorithm alg. The default is BF-CBC, an abbreviation for Blowfish in Cipher Block Chaining mode. Blowfish has the advantages of being fast, very secure, and allowing key sizes of up to 448 bits. Blowfish is designed to be used in situations where keys are changed infrequently.

In light of sweet32 this probably needs an update in wording. I assume you guys have a few things to say here about cipher negotiation, but maybe for older manuals something like this will work:

--cipher alg
Encrypt data channel packets with cipher algorithm alg. The default in this version of openvpn is BF-CBC, an abbreviation for Blowfish in Cipher Block Chaining mode. Blowfish has the advantages of being fast and allowing key sizes of up to 448 bits. Blowfish was considered secure for a long time, but in 2016 the default was changed to AES after an attack against blowfish was demonstrated in a lab. For more information, see: http://community.openvpn.net/openvpn/wiki/SWEET32

Change History (5)

comment:1 Changed 4 years ago by krzee king

Description: modified (diff)

comment:2 Changed 4 years ago by krzee king

Description: modified (diff)

comment:3 Changed 4 years ago by David Sommerseth

Sent the following patch to the -devel ML
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12607.html

Author: David Sommerseth <davids@o_____.n__>
Date:   Wed Oct 5 14:44:43 2016 +0200

    man page: Update the --cipher section to reflect recommendations after SWEET32
    
    We should no longer make users believe Blowfish is a 'very secure' cipher.
    Update this section to reflect our recommendations after the SWEET32
    announcement.
    
    Trac: #732
    Signed-off-by: David Sommerseth <davids@o_____.n__>

comment:4 Changed 4 years ago by David Sommerseth

Owner: set to David Sommerseth
Status: newaccepted

comment:5 Changed 4 years ago by David Sommerseth

Resolution: fixed
Status: acceptedclosed

So this can be closed. Steffan already had a patch out.

commit 5a1daf533ae283e258732260c96461e820e61fe6
Author: Steffan Karger <steffan@karger.me>
Date:   Sun Sep 11 16:50:31 2016 +0200

    Update cipher-related man page text
    
    As reported in trac #732, the man page text for --cipher is no longer
    accurate.  Update the text to represent current knowledge, about NCP and
    SWEET32.
    
    This does not hint at changing the default cipher, because we did not make
    a decision on that yet.  If we do change the default cipher, we'll have to
    update the text to reflect that.
    
    Signed-off-by: Steffan Karger <steffan@karger.me>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <1473605431-20842-1-git-send-email-steffan@karger.me>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12439.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
Note: See TracTickets for help on using tickets.