We should no longer make users believe Blowfish is a 'very secure' cipher.
Update this section to reflect our recommendations after the SWEET32

Trac: #732
Signed-off-by: David Sommerseth <dav...@openvpn.net>
 doc/openvpn.8 | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 2d15944..657985c 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -4110,14 +4110,20 @@ Encrypt data channel packets with cipher algorithm
 The default is
 an abbreviation for Blowfish in Cipher Block Chaining mode.
-Blowfish has the advantages of being fast, very secure, and allowing key sizes
+Blowfish has the advantages of being fast, and allowing key sizes
 of up to 448 bits.  Blowfish is designed to be used in situations where
 keys are changed infrequently.
-For more information on blowfish, see
-.I http://www.counterpane.com/blowfish.html
+Blowfish was considered very secure for a long time.  But recent attacks 
+in the SWEET32 discovery makes it very unsuitable.  If you depend on Blowfish
+today, at least enable more aggressive renegotiation of the tunnel (set
+.B \-\-reneg-bytes
+to maximum 64MB) and start planning a migration to one of the now recommended 
+ciphers. For more information, see:
-To see other ciphers that are available with
+.I http://community.openvpn.net/openvpn/wiki/SWEET32
+To see all ciphers that are available with
 OpenVPN, use the
 .B \-\-show\-ciphers

Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
Openvpn-devel mailing list

Reply via email to