Hi, On Thu, Jan 20, 2022 at 11:32:40AM -0500, Selva Nair wrote: > On Thu, Jan 20, 2022 at 10:18 AM Gert Doering <[email protected]> wrote: > > > Compile and client tested on 1.1.1 and 3.0.1. > > > > Glancing at the code related to management_external_key() does > > not make me very happy... too many build time variants. > > > "Happiness" is never a word that comes to mind while reading OpenVPN code :) > ...
Oh, some of the code paths are really nice these days :-) - but the
#ifdef maze regarding SSL libraries / crypto features is getting truly
annoying.
> Even at our snail's pace, 2.7 may be out before we can break free of
> OpenSSL 1, LibreSSL xyz etc. An option may be to require OpenSSL 3+ or
> similar for external keys, or at least for management-external-key.
>
> That feature is really used by only a few platforms (only Android for
> now?).
That was my idea - since only Windows and Android use the "xkey" code
paths today (as far as I understand), make 3.0.1 a hard requirement
for Windows and Android, and disable --management-external-key for
older SSL builds. Maybe this is a bit too drastic, but it would
reduce code paths to be maintained and tested quite a bit.
For Windows and Android, we bundle the SSL library to be used anyway,
so we do not need to care what the OS might bring along.
> Although it's a nifty option that could potentially be leveraged to
> remove pkcs11-helper, CNG etc out of OpenVPN core.
Whatever reduces #ifdef and library dependencies :-)
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany [email protected]
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
