This explains that 2.6 will ignore --cipher without --compat-mode and restructures the whole paragraph to better readable.
Signed-off-by: Arne Schwabe <[email protected]> --- doc/man-sections/cipher-negotiation.rst | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/doc/man-sections/cipher-negotiation.rst b/doc/man-sections/cipher-negotiation.rst index 423b5ab6a..6e872962a 100644 --- a/doc/man-sections/cipher-negotiation.rst +++ b/doc/man-sections/cipher-negotiation.rst @@ -15,12 +15,15 @@ with a AUTH_FAILED message (as seen in client log): AUTH: Received control message: AUTH_FAILED,Data channel cipher negotiation failed (no shared cipher) -OpenVPN 2.5 will only allow the ciphers specified in ``--data-ciphers``. To ensure -backwards compatibility also if a cipher is specified using the ``--cipher`` option -it is automatically added to this list. If both options are unset the default is -:code:`AES-256-GCM:AES-128-GCM`. In 2.6 and later the default is changed to +OpenVPN 2.5 and higher will only allow the ciphers specified in ``--data-ciphers``. + If ``--data-ciphers`` is not set the default is :code:`AES-256-GCM:AES-128-GCM`. +In 2.6 and later the default is changed to :code:`AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305` when Chacha20-Poly1305 is available. +For backwards compatibility OpenVPN 2.6.0 and later with ``--compat-mode 2.4.x`` +(or lower) or OpenVPN 2.5.x will automatically add a cipher specified using the +``--cipher`` option to this list. + OpenVPN 2.4 clients ------------------- The negotiation support in OpenVPN 2.4 was the first iteration of the implementation -- 2.33.0 _______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
