summaryrefslogtreecommitdiff
path: root/app/openvpn/doc
diff options
context:
space:
mode:
authorParménides GV <parmegv@sdf.org>2015-01-31 01:20:59 +0100
committerParménides GV <parmegv@sdf.org>2015-01-31 01:20:59 +0100
commit29fd5bc150155505a9fe0ffa4f1d0ac81db78724 (patch)
tree90c4af22d047b7297a66a9e623c86c5af63b12f6 /app/openvpn/doc
parent1a4643dc08a86dcd9650afa2255945df14445f2d (diff)
parentc95a21a736fadb46685e051064b0ec1efdae667a (diff)
Merge branch 'bug/second-notification-reintroduced' into develop
Diffstat (limited to 'app/openvpn/doc')
-rw-r--r--app/openvpn/doc/doxygen/doc_data_crypto.h12
-rw-r--r--app/openvpn/doc/doxygen/openvpn.doxyfile2
-rw-r--r--app/openvpn/doc/openvpn.833
3 files changed, 34 insertions, 13 deletions
diff --git a/app/openvpn/doc/doxygen/doc_data_crypto.h b/app/openvpn/doc/doxygen/doc_data_crypto.h
index 640203f4..11726724 100644
--- a/app/openvpn/doc/doxygen/doc_data_crypto.h
+++ b/app/openvpn/doc/doxygen/doc_data_crypto.h
@@ -60,12 +60,12 @@
*
* @par Settings that control this module's activity
* Whether or not the Data Channel Crypto module is active depends on the
- * compile-time \c ENABLE_CRYPTO and \c ENABLE_SSL preprocessor macros. How it
- * processes packets received from the \link data_control Data Channel
- * Control module\endlink at runtime depends on the associated \c
- * crypto_options structure. To perform cryptographic operations, the \c
- * crypto_options.key_ctx_bi must contain the correct cipher and HMAC
- * security parameters for the direction the packet is traveling in.
+ * compile-time \c ENABLE_CRYPTO preprocessor macro. How it processes packets
+ * received from the \link data_control Data Channel Control module\endlink at
+ * runtime depends on the associated \c crypto_options structure. To perform
+ * cryptographic operations, the \c crypto_options.key_ctx_bi must contain the
+ * correct cipher and HMAC security parameters for the direction the packet is
+ * traveling in.
*
* @par Crypto algorithms
* This module uses the crypto algorithm implementations of the external
diff --git a/app/openvpn/doc/doxygen/openvpn.doxyfile b/app/openvpn/doc/doxygen/openvpn.doxyfile
index cf26c42a..7a02028a 100644
--- a/app/openvpn/doc/doxygen/openvpn.doxyfile
+++ b/app/openvpn/doc/doxygen/openvpn.doxyfile
@@ -235,7 +235,7 @@ EXPAND_ONLY_PREDEF = NO
SEARCH_INCLUDES = YES
INCLUDE_PATH =
INCLUDE_FILE_PATTERNS =
-PREDEFINED = WIN32 NTLM USE_LZO ENABLE_FRAGMENT P2MP P2MP_SERVER ENABLE_CRYPTO ENABLE_CRYPTO_OPENSSL ENABLE_SSL ENABLE_PLUGIN ENABLE_MANAGEMENT ENABLE_OCC HAVE_GETTIMEOFDAY
+PREDEFINED = WIN32 NTLM USE_LZO ENABLE_FRAGMENT P2MP P2MP_SERVER ENABLE_CRYPTO ENABLE_CRYPTO_OPENSSL ENABLE_PLUGIN ENABLE_MANAGEMENT ENABLE_OCC HAVE_GETTIMEOFDAY
EXPAND_AS_DEFINED =
SKIP_FUNCTION_MACROS = YES
#---------------------------------------------------------------------------
diff --git a/app/openvpn/doc/openvpn.8 b/app/openvpn/doc/openvpn.8
index 532eda5c..a8c189c9 100644
--- a/app/openvpn/doc/openvpn.8
+++ b/app/openvpn/doc/openvpn.8
@@ -4239,13 +4239,18 @@ Not available with PolarSSL.
File containing Diffie Hellman parameters
in .pem format (required for
.B \-\-tls-server
-only). Use
+only).
-.B openssl dhparam -out dh1024.pem 1024
+Set
+.B file=none
+to disable Diffie Hellman key exchange (and use ECDH only). Note that this
+requires peers to be using an SSL library that supports ECDH TLS cipher suites
+(e.g. OpenSSL 1.0.1+, or PolarSSL 1.3+).
-to generate your own, or use the existing dh1024.pem file
-included with the OpenVPN distribution. Diffie Hellman parameters
-may be considered public.
+Use
+.B openssl dhparam -out dh2048.pem 2048
+to generate 2048-bit DH parameters. Diffie Hellman parameters may be considered
+public.
.\"*********************************************************
.TP
.B \-\-ecdh-curve name
@@ -4393,6 +4398,16 @@ This option can be used instead of
.B \-\-cert, \-\-key,
and
.B \-\-pkcs12.
+
+If p11-kit is present on the system, its
+.B p11-kit-proxy.so
+module will be loaded by default if either the
+.B \-\-pkcs11\-id
+or
+.B \-\-pkcs11\-id\-management
+options are specified without
+.B \-\-pkcs11\-provider
+being given.
.\"*********************************************************
.TP
.B \-\-pkcs11-private-mode mode...
@@ -5480,11 +5495,17 @@ adapter list.
.SS PKCS#11 Standalone Options:
.\"*********************************************************
.TP
-.B \-\-show-pkcs11-ids provider [cert_private]
+.B \-\-show-pkcs11-ids [provider] [cert_private]
(Standalone)
Show PKCS#11 token object list. Specify cert_private as 1
if certificates are stored as private objects.
+If p11-kit is present on the system, the
+.B provider
+argument is optional; if omitted the default
+.B p11-kit-proxy.so
+module will be queried.
+
.B \-\-verb
option can be used BEFORE this option to produce debugging information.
.\"*********************************************************