On Thu, Sep 28, 2023 at 8:55 PM Arne Schwabe <a...@rfc2549.org> wrote:
> > Am 29.09.2023 um 01:08 schrieb mike tancsa: > > Hi Selva, > > Thank you for looking! > > My guess is that something in the certificate or private key is not to > OpenSSL 3.1's liking and it rejects it. Is there any way for you to check > the > contents of the token independently using a tool linked against OpenSSL > 3.1 ? > > What am I looking for in that case ? Taking a look at the cert just with > openssl 3.0 on FreeBSD releng14 it seems ok with it. Same with the Windows > version 3.1.x that comes with OpenVPN. Is it possible it doesnt like the > sha1RSA sig ? > > OpenSSL 3.0 has security 1 by default (OpenSSL 3.1 has 2 by default) and > that does not allow SHA1 signatures anymore. See > https://www.openssl.org/docs/man3.1/man3/SSL_CTX_set_security_level.html > Good point. But, unless the config has "tls-cert-profile foo", we still default to legacy and call SSL_CTX_set_security_level(ctx, 1), isn't it? Wouldn't that allow SHA1 with 3.1.x ? Selva
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
