As reported in trac #732, the man page text for --cipher is no longer accurate. Update the text to represent current knowledge, about NCP and SWEET32.
This does not hint at changing the default cipher, because we did not make a decision on that yet. If we do change the default cipher, we'll have to update the text to reflect that. Signed-off-by: Steffan Karger <stef...@karger.me> --- doc/openvpn.8 | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index d9bb77c..fd23f8b 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -3910,22 +3910,14 @@ Encrypt data channel packets with cipher algorithm The default is .B BF-CBC, an abbreviation for Blowfish in Cipher Block Chaining mode. -Blowfish has the advantages of being fast, very secure, and allowing key sizes -of up to 448 bits. Blowfish is designed to be used in situations where -keys are changed infrequently. -For more information on blowfish, see -.I http://www.counterpane.com/blowfish.html +Using BF-CBC is no longer recommended, because of it's 64-bit block size. This +small block size allows attacks based on collisions, as demonstrated by SWEET32. -To see other ciphers that are available with -OpenVPN, use the +To see other ciphers that are available with OpenVPN, use the .B \-\-show\-ciphers option. -OpenVPN supports the CBC, CFB, and OFB cipher modes, -however CBC is recommended and CFB and OFB should -be considered advanced modes. - Set .B alg=none to disable encryption. -- 2.7.4 ------------------------------------------------------------------------------ _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
