--- gvpe/NEWS	2015/01/17 08:42:50	1.123
+++ gvpe/NEWS	2015/01/29 00:21:38	1.124
@@ -30,6 +30,11 @@
           only missing private keys. private keys are also put
           into the configured location.
         - the pid-file now accepts %s as nodename as elsewhere.
+        - switch to counter mode (only aes supported at the moment in
+          openssl). this gets rid of the need to generate a random iv,
+          is likely more secure (and, as a side effect, gets rid of
+          slow randomness generation. counter mode is often faster
+          then cbc mode as well).
         - no longer use RAND_bytes to generate session keys - you NEED
           a real source of entropy now (e.g. egd or /dev/random - see the
           openssl documentation).
@@ -37,13 +42,6 @@
           and will be merged.
         - a new directive "global" switches back to the global section
           of the config file.
-        - 12 random prefix bytes are now properly supported, leading to
-          a fully random IV.
-        - use aes with a random key in counter-mode to generate IVs,
-          for speed reasons (generating 12 random bytes with openssl can
-          take longer than encrypting and mac'ing a 1.5kb packet, and IVs
-          do not need to be cryptographically strong random numbers
-          (and in fact, shouldn't be)).
         - if-up scripts can now be specified with absolute paths.
         - new global option: serial, to detect configuration mismatches.
         - use HKDF as authentication proof, not HMAC or a plain hash