There are still some support tickets related to SWEET32 and our defult enforced --reneg-bytes 64 when using weaker ciphers (less than 128-bits cipher blocks). Try to clarify this even more.
Also fix a few mistakes, saying less than 128-bits and not 128-bits and less. Signed-off-by: David Sommerseth <dav...@openvpn.net> --- Changes.rst | 6 +++--- doc/openvpn.8 | 13 ++++++++++--- 2 files changed, 13 insertions(+), 6 deletions(-) diff --git a/Changes.rst b/Changes.rst index 3e3aaad..1c0154c 100644 --- a/Changes.rst +++ b/Changes.rst @@ -57,10 +57,10 @@ Improved UTF-8 support Behavioral changes ------------------ -- OpenVPN will complain loudly about ciphers with 128-bits block sizes or less +- OpenVPN will complain loudly about ciphers with block sizes less than 128-bits - OpenVPN will by default re-negotiate the tunnel after 64MB when used with - ciphers using cipher blocks of 128-bits or less + ciphers using cipher blocks sizes less than 128-bits - Remove --enable-password-save option to configure, this is now always enabled @@ -121,7 +121,7 @@ Version 2.3.13 Ciphers with cipher blocks less than 128 bits will now do a renegotiation of the tunnel by default for every 64MB of data. This behaviour can be - overridden by explictly setting --reneg-bytes 0 in the configuration file, + overridden by explicitly setting --reneg-bytes 0 in the configuration file, however this is HIGHLY discouraged. This is to reduce the risk for SWEET32 attacks. The general recommendation diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 2140733..6063ccd 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -4612,11 +4612,18 @@ such as TCP expect this role to be left to them. .B \-\-reneg\-bytes n Renegotiate data channel key after .B n -bytes sent or received (disabled by default). +bytes sent or received (disabled by default with an exception, see below). OpenVPN allows the lifetime of a key -to be expressed as a number of bytes encrypted/decrypted, a number of packets, or -a number of seconds. A key renegotiation will be forced +to be expressed as a number of bytes encrypted/decrypted, a number of packets, +or a number of seconds. A key renegotiation will be forced if any of these three criteria are met by either peer. + +If using ciphers with cipher block sizes less than 128-bits, \-\-reneg\-bytes is +set to 64MB by default, unless it is explicitly disabled by setting the value to +0,but this is +.B HIGHLY DISCOURAGED +as this is designed to add some protection against the SWEET32 attack vector. +For more information see the \-\-cipher option. .\"********************************************************* .TP .B \-\-reneg\-pkts n -- 1.8.3.1 ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today.http://sdm.link/intel _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel