Re: [Openvpn-devel] [PATCH v2] doc: cleanup for --data-ciphers and related

Tue, 22 Feb 2022 04:39:30 -0800 

> Arne Schwabe <a...@rfc2549.org> hat am 22.02.2022 13:21 geschrieben:
> 
>  
> >   
> >     The ``algorithm`` parameter may be :code:`lzo`, :code:`lz4`,
> > @@ -193,6 +193,10 @@ configured in a compatible way between both the local 
> > and remote side.
> >     supported by the client will be pushed to clients that support cipher
> >     negotiation.
> >   
> > +  For more details see the chapter on `Data channel cipher negotiation`_.
> > +  *Especially* if you need to support clients with OpenVPN versions older
> > +  than 2.5!
> > +
> 
> Why 2.5? 2.4 client and server will just default to AES-256-GCM and that 
> should be fine?

I used < 2.5 because I removed the explanation of the 2.4 quirk from below.

> > -
> > -  Note for using NCP with an OpenVPN 2.4 peer: This list must include the
> > -  :code:`AES-256-GCM` and :code:`AES-128-GCM` ciphers.
> > +  If ``--compat-mode`` is set to a version older than 2.5.0 ``--cipher``
> > +  will be appended to ``--data-ciphers`` if not already present.
> 
> Nitpick, not ``--cipher`` but the cipher specified by ``--cipher``

Okay.

> > @@ -3219,11 +3219,11 @@ options_set_backwards_compatible_options(struct 
> > options *o)
> >       }
> >   
> >       /* Versions < 2.5.0 do need --cipher in the list of accepted ciphers.
> > -     * Version 2.4 might probably does not need it but NCP was not so
> > +     * Version 2.4 probably does not need it but NCP was not so
> >        * good with 2.4 and ncp-disable might be more common on 2.4 peers.
> > -     * Only do this iif --cipher is not explicitly (BF-CBC). This is not
> > -     * 100% correct backwards compatible behaviour but 2.5 already behaved 
> > like
> > -     * this */
> > +     * Only do this if --cipher is set explicitly (or compat mode is
> 
> iif should have been iff (=if and only if). So probably either correct 
> to that or write it out if you think that math idiom is not understood 
> by normal programmers.

Yeah, I guessed that. But I thought it weird to use iff and then immediately 
add in
parathesis an exception to that statement. So I will leave it like this.

> > +     * < 2.4.0, see above). This is not 100% correct backwards compatible
> > +     * behaviour but 2.5 already behaved like this */
> >       if (o->ciphername && need_compatibility_before(o, 20500)
> >           && !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers))
> >       {

--
Frank Lichtenheld


_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to