Hi, On Tue, Nov 23, 2021 at 1:37 PM Lev Stipakov <lstipa...@gmail.com> wrote:
> I don't have a setup to properly test it, like actually loading the > config - I only checked that the openvpn.exe attempted to access > openssl.cnf at the correct location. > > If someone wants to test - binary artifacts could be found here: > https://github.com/lstipakov/openvpn/actions/runs/1496114596 > > I could also do testing if someone educates me how :) > Try using an openssl.cnf like the one below which restricts signature algorithms to a some non-PSS schemes. Change that line to restrict them further or comment out to use defaults: not including PSS will force non-PSS signature with TLS 1.2 even with OpenSSL 1.1.1 server. And will break TLS 1.3 negotiation. Removing ECC signatures and using an EC key certificate will break the connection etc.. # # OpenSSL configuration file to restrict siglags during handshake # openssl_conf = default_conf [default_conf] ssl_conf = ssl_sect [ssl_sect] system_default = system_default_sect [system_default_sect] #MinProtocol = TLSv1.2 #CipherString = DEFAULT@SECLEVEL=0 SignatureAlgorithms = RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1 # possible values # PKCS1: rsa_pkcs1_sha256:rsa_pkcs1_sha384:rsa_pkcs1_sha512 # ECDSA: ecdsa_secp256r1_sha256:ecdsa_secp384r1_sha384:ecdsa_secp521r1_sha512 # PSS with rsa encryption public key rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512 # EdDSA :ed25519:ed448 # PSS with PSS public key: rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512 # Legacy rsa_pkcs1_sha1:ecdsa_sha1
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
