mirror of
https://github.com/OpenVPN/openvpn.git
synced 2026-06-09 00:42:51 -04:00
docs: Further enhance the documentation related to SWEET32
The git master/2.4 code lacked some useful information about
the changes to --reneg-bytes, SWEET32 and weak ciphers (less
than 128-bits cipher blocks)
v2 - Fixed a couple of grammar/typo issues
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <1482509264-24550-1-git-send-email-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13682.html
(cherry picked from commit a256aee8e7)
This commit is contained in:
David Sommerseth
parent
a0006fa431
commit
203d7c8b1f
2 changed files with 16 additions and 3 deletions
|
|
@ -182,6 +182,12 @@ Deprecated features
|
|||
|
||||
User-visible Changes
|
||||
--------------------
|
||||
- When using ciphers with cipher blocks less than 128-bits
|
||||
OpenVPN will complain loudly if the configuration uses ciphers considered
|
||||
weak, such as the SWEET32 attack vector. In such scenarios, OpenVPN will by
|
||||
default do a renegotiation for each 64MB of transported data (``--reneg-bytes``).
|
||||
This renegotiation can be disabled, but is HIGHLY DISCOURAGED.
|
||||
|
||||
- For certificate DNs with duplicate fields, e.g. "OU=one,OU=two", both fields
|
||||
are now exported to the environment, where each second and later occurrence
|
||||
of a field get _$N appended to it's field name, starting at N=1. For the
|
||||
|
|
|
|||
|
|
@ -4876,11 +4876,18 @@ such as TCP expect this role to be left to them.
|
|||
.B \-\-reneg\-bytes n
|
||||
Renegotiate data channel key after
|
||||
.B n
|
||||
bytes sent or received (disabled by default).
|
||||
bytes sent or received (disabled by default with an exception, see below).
|
||||
OpenVPN allows the lifetime of a key
|
||||
to be expressed as a number of bytes encrypted/decrypted, a number of packets, or
|
||||
a number of seconds. A key renegotiation will be forced
|
||||
to be expressed as a number of bytes encrypted/decrypted, a number of packets,
|
||||
or a number of seconds. A key renegotiation will be forced
|
||||
if any of these three criteria are met by either peer.
|
||||
|
||||
If using ciphers with cipher block sizes less than 128-bits, \-\-reneg\-bytes is
|
||||
set to 64MB by default, unless it is explicitly disabled by setting the value to
|
||||
0, but this is
|
||||
.B HIGHLY DISCOURAGED
|
||||
as this is designed to add some protection against the SWEET32 attack vector.
|
||||
For more information see the \-\-cipher option.
|
||||
.\"*********************************************************
|
||||
.TP
|
||||
.B \-\-reneg\-pkts n
|
||||
|
|
|
|||
Loading…
Reference in a new issue