On 26/12/16 00:20, Steffan Karger wrote: > Hi, > > On 18-12-16 22:26, Gert Doering wrote: >> On Sun, Dec 18, 2016 at 05:40:55PM +0100, Steffan Karger wrote: >>> Our internal options digest uses MD5 hashes to store the state, instead of >>> storing the full options string. There's nothing wrong with that, but it >>> would still be better to use SHA256 because: >>> * That makes it easier to make OpenVPN "FIPS-compliant" (forbids MD5) >>> * We don't have to explain anymore that MD5 is fine too >>> >>> The slightly less bytes for the digest (16 instead of 32) and operations >>> per connection setup are not worth sticking to MD5. >> >> I can't find very clear information on "which versions of OpenSSL do >> support sha256", but since we have a trac ticket about our windows >> builds having issues with sha256 certificates we might take this >> opportunity to revisit minimum OpenSSL versions supported in master >> from now on... > > The oldest OpenSSL we support in release/2.4 and master is 0.9.8, and > has SHA256 support (was introduced in 2004). Also, the --tls-crypt > feature already unconditionally requires SHA256 to be available.
Just to confirm this is fine. $ cat /etc/redhat-release CentOS release 5.11 (Final) $ rpm -q openssl openssl-0.9.8e-40.el5_11 $ echo "test" | openssl dgst -sha256 f2ca1bb6c7e907d06dafe4687e579fce76b37e4e93b7605022da52e6ccc26fd2 $ echo "test" | sha256sum f2ca1bb6c7e907d06dafe4687e579fce76b37e4e93b7605022da52e6ccc26fd2 - And from the earliest openssl RPM changelog entry where 0.9.8 is mentioned, I see this: * Wed Nov 09 2005 Tomas Mraz <tmraz(a)redhat.com> 0.9.8a-1 - new upstream version AFAIR, we don't support any other OS or distributions with an older OpenSSL library. -- kind regards, David Sommerseth OpenVPN Technologies, Inc
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today.http://sdm.link/intel
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel