Hi, On 18-12-16 22:26, Gert Doering wrote: > On Sun, Dec 18, 2016 at 05:40:55PM +0100, Steffan Karger wrote: >> Our internal options digest uses MD5 hashes to store the state, instead of >> storing the full options string. There's nothing wrong with that, but it >> would still be better to use SHA256 because: >> * That makes it easier to make OpenVPN "FIPS-compliant" (forbids MD5) >> * We don't have to explain anymore that MD5 is fine too >> >> The slightly less bytes for the digest (16 instead of 32) and operations >> per connection setup are not worth sticking to MD5. > > I can't find very clear information on "which versions of OpenSSL do > support sha256", but since we have a trac ticket about our windows > builds having issues with sha256 certificates we might take this > opportunity to revisit minimum OpenSSL versions supported in master > from now on...
The oldest OpenSSL we support in release/2.4 and master is 0.9.8, and has SHA256 support (was introduced in 2004). Also, the --tls-crypt feature already unconditionally requires SHA256 to be available. -Steffan
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today.http://sdm.link/intel
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
