Hi, On Sun, Dec 18, 2016 at 05:40:55PM +0100, Steffan Karger wrote: > Our internal options digest uses MD5 hashes to store the state, instead of > storing the full options string. There's nothing wrong with that, but it > would still be better to use SHA256 because: > * That makes it easier to make OpenVPN "FIPS-compliant" (forbids MD5) > * We don't have to explain anymore that MD5 is fine too > > The slightly less bytes for the digest (16 instead of 32) and operations > per connection setup are not worth sticking to MD5.
I can't find very clear information on "which versions of OpenSSL do support sha256", but since we have a trac ticket about our windows builds having issues with sha256 certificates we might take this opportunity to revisit minimum OpenSSL versions supported in master from now on... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel