Re: [Openvpn-devel] [PATCH v3] Load OpenSSL config on Windows from trusted location

Tue, 23 Nov 2021 11:34:50 -0800 

Thanks,

I tried this one and client wasn't able to connect:

    OpenSSL: error:14201076:SSL routines:tls_choose_sigalg:no suitable
signature algorithm

So it looks like config loading works.

The binaries for V4 could be found here:
https://github.com/lstipakov/openvpn/actions/runs/1496339867

ti 23. marrask. 2021 klo 20.58 Selva Nair (selva.n...@gmail.com) kirjoitti:
>
> Hi,
>
> On Tue, Nov 23, 2021 at 1:37 PM Lev Stipakov <lstipa...@gmail.com> wrote:
>>
>> I don't have a setup to properly test it, like actually loading the
>> config - I only checked that the openvpn.exe attempted to access
>> openssl.cnf at the correct location.
>>
>> If someone wants to test - binary artifacts could be found here:
>> https://github.com/lstipakov/openvpn/actions/runs/1496114596
>>
>>
>>
>> I could also do testing if someone educates me how :)
>
>
> Try using an openssl.cnf like the one below which restricts signature 
> algorithms to a some non-PSS schemes. Change that line to restrict them 
> further or comment out to use defaults: not including PSS will force non-PSS 
> signature with TLS 1.2 even with OpenSSL 1.1.1 server. And will break TLS 1.3 
> negotiation. Removing ECC signatures and using an EC key certificate will 
> break the connection etc..
>
> #
> # OpenSSL configuration file to restrict siglags during handshake
> #
> openssl_conf = default_conf
>
> [default_conf]
> ssl_conf = ssl_sect
>
> [ssl_sect]
> system_default = system_default_sect
>
> [system_default_sect]
> #MinProtocol = TLSv1.2
> #CipherString = DEFAULT@SECLEVEL=0
> SignatureAlgorithms = 
> RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1
> # possible values
> # PKCS1:  rsa_pkcs1_sha256:rsa_pkcs1_sha384:rsa_pkcs1_sha512
> # ECDSA: ecdsa_secp256r1_sha256:ecdsa_secp384r1_sha384:ecdsa_secp521r1_sha512
> # PSS with rsa encryption public key 
> rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512
> # EdDSA :ed25519:ed448
> # PSS with PSS public key: 
> rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512
> # Legacy rsa_pkcs1_sha1:ecdsa_sha1



-- 
-Lev


_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to