Re: [Openvpn-devel] [PATCH release/2.3] docs: Further improve --reneg-bytes and SWEET32 information

[Steffan Karger]

Hi,

On 21 December 2016 at 21:54, David Sommerseth  wrote:
> +If using ciphers with cipher block sizes less than 128-bits, 
> \-\-reneg\-bytes is
> +set to 64MB by default, unless it is explicitly disabled by setting the 
> value to
> +0,but this is

(As in the patch for master:) missing space behind the ,.

ACK once that's fixed.

-Steffan

--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH release/2.3] docs: Further improve --reneg-bytes and SWEET32 information

[David Sommerseth]

There are still some support tickets related to SWEET32 and
our defult enforced --reneg-bytes 64 when using weaker ciphers
(less than 128-bits cipher blocks).  Try to clarify this even
more.

Also fix a few mistakes, saying less than 128-bits and not 128-bits
and less.

Signed-off-by: David Sommerseth 
---
 Changes.rst   |  6 +++---
 doc/openvpn.8 | 13 ++---
 2 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/Changes.rst b/Changes.rst
index 3e3aaad..1c0154c 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -57,10 +57,10 @@ Improved UTF-8 support
 Behavioral changes
 --
 
-- OpenVPN will complain loudly about ciphers with 128-bits block sizes or less
+- OpenVPN will complain loudly about ciphers with block sizes less than 
128-bits
 
 - OpenVPN will by default re-negotiate the tunnel after 64MB when used with
-  ciphers using cipher blocks of 128-bits or less
+  ciphers using cipher blocks sizes less than 128-bits
 
 - Remove --enable-password-save option to configure, this is now always enabled
 
@@ -121,7 +121,7 @@ Version 2.3.13
 
   Ciphers with cipher blocks less than 128 bits will now do a renegotiation
   of the tunnel by default for every 64MB of data.  This behaviour can be
-  overridden by explictly setting --reneg-bytes 0 in the configuration file,
+  overridden by explicitly setting --reneg-bytes 0 in the configuration file,
   however this is HIGHLY discouraged.
 
   This is to reduce the risk for SWEET32 attacks.  The general recommendation
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 2140733..6063ccd 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -4612,11 +4612,18 @@ such as TCP expect this role to be left to them.
 .B \-\-reneg\-bytes n
 Renegotiate data channel key after
 .B n
-bytes sent or received (disabled by default).
+bytes sent or received (disabled by default with an exception, see below).
 OpenVPN allows the lifetime of a key
-to be expressed as a number of bytes encrypted/decrypted, a number of packets, 
or
-a number of seconds.  A key renegotiation will be forced
+to be expressed as a number of bytes encrypted/decrypted, a number of packets,
+or a number of seconds.  A key renegotiation will be forced
 if any of these three criteria are met by either peer.
+
+If using ciphers with cipher block sizes less than 128-bits, \-\-reneg\-bytes 
is
+set to 64MB by default, unless it is explicitly disabled by setting the value 
to
+0,but this is
+.B HIGHLY DISCOURAGED
+as this is designed to add some protection against the SWEET32 attack vector.
+For more information see the \-\-cipher option.
 .\"*
 .TP
 .B \-\-reneg\-pkts n
-- 
1.8.3.1


--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel