Hi,

On 18-12-16 22:26, Gert Doering wrote:
> On Sun, Dec 18, 2016 at 05:40:55PM +0100, Steffan Karger wrote:
>> Our internal options digest uses MD5 hashes to store the state, instead of
>> storing the full options string.  There's nothing wrong with that, but it
>> would still be better to use SHA256 because:
>>  * That makes it easier to make OpenVPN "FIPS-compliant" (forbids MD5)
>>  * We don't have to explain anymore that MD5 is fine too
>>
>> The slightly less bytes for the digest (16 instead of 32) and operations
>> per connection setup are not worth sticking to MD5.
> 
> I can't find very clear information on "which versions of OpenSSL do
> support sha256", but since we have a trac ticket about our windows
> builds having issues with sha256 certificates we might take this
> opportunity to revisit minimum OpenSSL versions supported in master
> from now on...

The oldest OpenSSL we support in release/2.4 and master is 0.9.8, and
has SHA256 support (was introduced in 2004).  Also, the --tls-crypt
feature already unconditionally requires SHA256 to be available.

-Steffan

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to