diff --git a/Changes.rst b/Changes.rst index 17be0e15427..0da01e84fc1 100644 --- a/Changes.rst +++ b/Changes.rst @@ -14,12 +14,19 @@ ChaCha20-Poly1305 cipher support channel. Improved Data channel cipher negotiation + The option ``ncp-ciphers`` has been renamed to ``data-ciphers``. + The old name is still accepted. The change in name signals that + ``data-ciphers`` is the preferred way to configure data channel + ciphers and the data prefix is chosen to avoid the ambiguity that + exists with ``--cipher`` for the data cipher and ``tls-cipher`` + for the TLS ciphers. + OpenVPN clients will now signal all supported ciphers from the - ``ncp-ciphers`` option to the server via ``IV_CIPHERS``. OpenVPN - servers will select the first common cipher from the ``ncp-ciphers`` + ``data-ciphers`` option to the server via ``IV_CIPHERS``. OpenVPN + servers will select the first common cipher from the ``data-ciphers`` list instead of blindly pushing the first cipher of the list. This allows to use a configuration like - ``ncp-ciphers ChaCha20-Poly1305:AES-256-GCM`` on the server that + ``data-ciphers ChaCha20-Poly1305:AES-256-GCM`` on the server that prefers ChaCha20-Poly1305 but uses it only if the client supports it. Asynchronous (deferred) authentication support for auth-pam plugin. diff --git a/doc/man-sections/protocol-options.rst b/doc/man-sections/protocol-options.rst index 923d2da0408..051f1d32d2f 100644 --- a/doc/man-sections/protocol-options.rst +++ b/doc/man-sections/protocol-options.rst @@ -62,7 +62,7 @@ configured in a compatible way between both the local and remote side. The default is :code:`BF-CBC`, an abbreviation for Blowfish in Cipher Block Chaining mode. When cipher negotiation (NCP) is allowed, OpenVPN 2.4 and newer on both client and server side will automatically - upgrade to :code:`AES-256-GCM`. See ``--ncp-ciphers`` and + upgrade to :code:`AES-256-GCM`. See ``--data-ciphers`` and ``--ncp-disable`` for more details on NCP. Using :code:`BF-CBC` is no longer recommended, because of its 64-bit @@ -169,7 +169,7 @@ configured in a compatible way between both the local and remote side. non-standard key lengths, and a larger key may offer no real guarantee of greater security, or may even reduce security. ---ncp-ciphers cipher-list +--data-ciphers cipher-list Restrict the allowed ciphers to be negotiated to the ciphers in ``cipher-list``. ``cipher-list`` is a colon-separated list of ciphers, and defaults to :code:`AES-256-GCM:AES-128-GCM`. @@ -189,9 +189,9 @@ configured in a compatible way between both the local and remote side. Additionally, to allow for more smooth transition, if NCP is enabled, OpenVPN will inherit the cipher of the peer if that cipher is different from the local ``--cipher`` setting, but the peer cipher is one of the - ciphers specified in ``--ncp-ciphers``. E.g. a non-NCP client (<=v2.3, + ciphers specified in ``--data-ciphers``. E.g. a non-NCP client (<=v2.3, or with --ncp-disabled set) connecting to a NCP server (v2.4+) with - ``--cipher BF-CBC`` and ``--ncp-ciphers AES-256-GCM:AES-256-CBC`` set can + ``--cipher BF-CBC`` and ``--data-ciphers AES-256-GCM:AES-256-CBC`` set can either specify ``--cipher BF-CBC`` or ``--cipher AES-256-CBC`` and both will work. @@ -201,6 +201,9 @@ configured in a compatible way between both the local and remote side. This list is restricted to be 127 chars long after conversion to OpenVPN ciphers. + This option was called ``ncp-ciphers`` in OpenVPN 2.4 but has been renamed + to ``data-ciphers`` in OpenVPN 2.5 to more accurately reflect its meaning. + --ncp-disable Disable "Negotiable Crypto Parameters". This completely disables cipher negotiation. diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index babf33d3cbd..f1f0667a94e 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -479,8 +479,8 @@ fast hardware. SSL/TLS authentication must be used in this mode. *AES-GCM-128* and *AES-GCM-256*. :code:`IV_CIPHERS=` - The client pushes the list of configured ciphers with the - ``--ciphers`` option to the server. + The client announces the list of supported ciphers configured with the + ``--data-ciphers`` option to the server. :code:`IV_GUI_VER= ` The UI version of a UI if one is running, for example diff --git a/sample/sample-config-files/client.conf b/sample/sample-config-files/client.conf index 7f2f30a3aec..47ca4099213 100644 --- a/sample/sample-config-files/client.conf +++ b/sample/sample-config-files/client.conf @@ -112,7 +112,7 @@ tls-auth ta.key 1 # then you must also specify it here. # Note that v2.4 client/server will automatically # negotiate AES-256-GCM in TLS mode. -# See also the ncp-cipher option in the manpage +# See also the data-ciphers option in the manpage cipher AES-256-CBC # Enable compression on the VPN link. diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index b83a0f0629d..9bda38b0912 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -1824,7 +1824,7 @@ multi_client_set_protocol_options(struct context *c) else { /* - * Push the first cipher from --ncp-ciphers to the client that + * Push the first cipher from --data-ciphers to the client that * the client announces to be supporting. */ char *push_cipher = ncp_get_best_cipher(o->ncp_ciphers, o->ciphername, @@ -1844,7 +1844,7 @@ multi_client_set_protocol_options(struct context *c) { msg(M_INFO, "PUSH: No common cipher between server and " "client. Expect this connection not to work. Server " - "ncp-ciphers: '%s', client supported ciphers '%s'", + "data-ciphers: '%s', client supported ciphers '%s'", o->ncp_ciphers, peer_ciphers); } else diff --git a/src/openvpn/options.c b/src/openvpn/options.c index a8a9bb97417..58272221dfe 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -531,7 +531,7 @@ static const char usage_message[] = "--cipher alg : Encrypt packets with cipher algorithm alg\n" " (default=%s).\n" " Set alg=none to disable encryption.\n" - "--ncp-ciphers list : List of ciphers that are allowed to be negotiated.\n" + "--data-ciphers list : List of ciphers that are allowed to be negotiated.\n" "--ncp-disable : (DEPRECATED) Disable cipher negotiation.\n" "--prng alg [nsl] : For PRNG, use digest algorithm alg, and\n" " nonce_secret_len=nsl. Set alg=none to disable PRNG.\n" @@ -7863,7 +7863,8 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_NCP|OPT_P_INSTANCE); options->ciphername = p[1]; } - else if (streq(p[0], "ncp-ciphers") && p[1] && !p[2]) + else if ((streq(p[0], "data-ciphers") || streq(p[0], "ncp-ciphers")) + && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE); options->ncp_ciphers = p[1]; diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c index 4d10109c7b9..8e432fb7583 100644 --- a/src/openvpn/ssl_ncp.c +++ b/src/openvpn/ssl_ncp.c @@ -111,7 +111,7 @@ mutate_ncp_cipher_list(const char *list, struct gc_arena *gc) const cipher_kt_t *ktc = cipher_kt_get(token); if (!ktc) { - msg(M_WARN, "Unsupported cipher in --ncp-ciphers: %s", token); + msg(M_WARN, "Unsupported cipher in --data-ciphers: %s", token); error_found = true; } else @@ -130,7 +130,7 @@ mutate_ncp_cipher_list(const char *list, struct gc_arena *gc) if (!(buf_forward_capacity(&new_list) > strlen(ovpn_cipher_name) + 2)) { - msg(M_WARN, "Length of --ncp-ciphers is over the " + msg(M_WARN, "Length of --data-ciphers is over the " "limit of 127 chars"); error_found = true; }