Hi, On 23-12-16 17:07, David Sommerseth wrote: > The git master/2.4 code lacked some useful information about > the changes to --reneg-bytes, SWEET32 and weak ciphers (less > than 128-bits cipher blocks) > > v2 - Fixed a couple of grammar/typo issues > > Signed-off-by: David Sommerseth <dav...@openvpn.net> > --- > Changes.rst | 6 ++++++ > doc/openvpn.8 | 13 ++++++++++--- > 2 files changed, 16 insertions(+), 3 deletions(-) > > diff --git a/Changes.rst b/Changes.rst > index 8508fa3..df5ccb6 100644 > --- a/Changes.rst > +++ b/Changes.rst > @@ -182,6 +182,12 @@ Deprecated features > > User-visible Changes > -------------------- > +- When using ciphers with cipher blocks less than 128-bits > + OpenVPN will complain loudly if the configuration uses ciphers considered > + weak, such as the SWEET32 attack vector. In such scenarios, OpenVPN will > by > + default do a renegotiation for each 64MB of transported data > (``--reneg-bytes``). > + This renegotiation can be disabled, but is HIGHLY DISCOURAGED. > + > - For certificate DNs with duplicate fields, e.g. "OU=one,OU=two", both > fields > are now exported to the environment, where each second and later occurrence > of a field get _$N appended to it's field name, starting at N=1. For the > diff --git a/doc/openvpn.8 b/doc/openvpn.8 > index f079799..ddaf0ed 100644 > --- a/doc/openvpn.8 > +++ b/doc/openvpn.8 > @@ -4876,11 +4876,18 @@ such as TCP expect this role to be left to them. > .B \-\-reneg\-bytes n > Renegotiate data channel key after > .B n > -bytes sent or received (disabled by default). > +bytes sent or received (disabled by default with an exception, see below). > OpenVPN allows the lifetime of a key > -to be expressed as a number of bytes encrypted/decrypted, a number of > packets, or > -a number of seconds. A key renegotiation will be forced > +to be expressed as a number of bytes encrypted/decrypted, a number of > packets, > +or a number of seconds. A key renegotiation will be forced > if any of these three criteria are met by either peer. > + > +If using ciphers with cipher block sizes less than 128-bits, > \-\-reneg\-bytes is > +set to 64MB by default, unless it is explicitly disabled by setting the > value to > +0, but this is > +.B HIGHLY DISCOURAGED > +as this is designed to add some protection against the SWEET32 attack vector. > +For more information see the \-\-cipher option. > .\"********************************************************* > .TP > .B \-\-reneg\-pkts n >
ACK -Steffan ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today.http://sdm.link/intel _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
