- Explain the IV_NCP=2 client situation in 2.4 a bit better.
 - Make more clear what exact versions are meant in the old client section
 - add a missing - in a heading

Thanks to Richard Bohnhomme for initial proof reading.

Signed-off-by: Arne Schwabe <a...@rfc2549.org>
---
 doc/man-sections/cipher-negotiation.rst | 34 ++++++++++++++-----------
 1 file changed, 19 insertions(+), 15 deletions(-)

diff --git a/doc/man-sections/cipher-negotiation.rst 
b/doc/man-sections/cipher-negotiation.rst
index 46c9d7cf..b2c20241 100644
--- a/doc/man-sections/cipher-negotiation.rst
+++ b/doc/man-sections/cipher-negotiation.rst
@@ -22,14 +22,18 @@ it is automatically added to this list. If both options are 
unset the default is
 
 OpenVPN 2.4 clients
 -------------------
-The negotiation support in OpenVPN 2.4 was a first implementation and still 
had some
-quirks. Its main goal was "upgrade to AES-256-GCM when possible".
+The negotiation support in OpenVPN 2.4 was the first iteration of the 
implementation
+and still had some quirks. Its main goal was "upgrade to AES-256-GCM when 
possible".
 An OpenVPN 2.4 client that is built against a crypto library that supports AES 
in GCM
 mode and does not have ``--ncp-disable`` will always announce support for
-`AES-256-GCM` and `AES-128-GCM` even if the ``--ncp-ciphers`` option does not 
include
-those two ciphers. It is therefore recommended to add `AES-256-GCM` and 
`AES-128-GCM`
-to the ``--ncp-ciphers`` options to workaround this bug.
+`AES-256-GCM` and `AES-128-GCM` to a server by sending :code:`IV_NCP=2`.
 
+This only causes a problem if ``--ncp-ciphers`` option has been changed from 
the
+default of :code:`AES-256-GCM:AES-128-GCM` to a value that does not include
+these two ciphers. When a OpenVPN servers try to use `AES-256-GCM` or
+`AES-128-GCM` the connection will then fail. It is therefore recommended to
+always have the `AES-256-GCM` and `AES-128-GCM` ciphers to the 
``--ncp-ciphers``
+options to avoid this behaviour.
 
 OpenVPN 3 clients
 -----------------
@@ -42,7 +46,7 @@ To support OpenVPN 3.x based clients at least one of these 
ciphers needs to be
 included in the server's ``--data-ciphers`` option.
 
 
-OpenVPN 2.3 clients and older (and clients with ``--ncp-disable``)
+OpenVPN 2.3 and older clients (and clients with ``--ncp-disable``)
 ------------------------------------------------------------------
 When a client without cipher negotiation support connects to a server the
 cipher specified with the ``--cipher`` option in the client configuration
@@ -50,10 +54,10 @@ must be included in the ``--data-ciphers`` option of the 
server to allow
 the client to connect. Otherwise the client will be sent the ``AUTH_FAILED``
 message that indicates no shared cipher.
 
-If the client has been configured with the ``--enable-small``
-:code:``./configure`` argument, using ``data-ciphers-fallback cipher``
-in the server config file with the explicit cipher used by the client
-is necessary.
+If the client is 2.3 or older and has been configured with the
+``--enable-small``  :code:`./configure` argument, using
+``data-ciphers-fallback cipher`` in the server config file with the explicit
+cipher used by the client is necessary.
 
 OpenVPN 2.4 server
 ------------------
@@ -66,7 +70,7 @@ adding  `AES-128-GCM` and `AES-256-GCM` to the client's 
``--data-ciphers``
 option is required. OpenVPN 2.5+ will only announce the ``IV_NCP=2`` flag if
 those ciphers are present.
 
-OpenVPN 2.3 and older servers (and servers with ``-ncp-disable``)
+OpenVPN 2.3 and older servers (and servers with ``--ncp-disable``)
 -----------------------------------------------------------------
 The cipher used by the server must be included in ``--data-ciphers`` to
 allow the client connecting to a server without cipher negotiation
@@ -74,10 +78,10 @@ support.
 (For compatibility OpenVPN 2.5 will also accept the cipher set with
 ``--cipher``)
 
-If the server has been configured with the ``--enable-small``
-:code:``./configure` argument, adding ``data-ciphers-fallback cipher``
-to the client config with the explicit cipher used by the server
-is necessary.
+If the server is 2.3 or older and  has been configured with the
+``--enable-small`` :code:`./configure` argument, adding
+``data-ciphers-fallback cipher`` to the client config with the explicit
+cipher used by the server is necessary.
 
 Blowfish in CBC mode (BF-CBC) deprecation
 ------------------------------------------
-- 
2.26.2



_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to