Am 29.09.23 um 03:25 schrieb Selva Nair:
On Thu, Sep 28, 2023 at 8:55 PM Arne Schwabe <a...@rfc2549.org
<mailto:a...@rfc2549.org>> wrote:
Am 29.09.2023 um 01:08 schrieb mike tancsa:
Hi Selva,
Thank you for looking!
My guess is that something in the certificate or private key is
not to
OpenSSL 3.1's liking and it rejects it. Is there any way for you
to check the
contents of the token independently using a tool linked against
OpenSSL 3.1 ?
What am I looking for in that case ? Taking a look at the cert
just with openssl 3.0 on FreeBSD releng14 it seems ok with it.
Same with the Windows version 3.1.x that comes with OpenVPN. Is it
possible it doesnt like the sha1RSA sig ?
OpenSSL 3.0 has security 1 by default (OpenSSL 3.1 has 2 by
default) and that does not allow SHA1 signatures anymore. See
https://www.openssl.org/docs/man3.1/man3/SSL_CTX_set_security_level.html
<https://www.openssl.org/docs/man3.1/man3/SSL_CTX_set_security_level.html>
Good point. But, unless the config has "tls-cert-profile foo", we still
default to legacy and call SSL_CTX_set_security_level(ctx, 1), isn't it?
Wouldn't that allow SHA1 with 3.1.x ?
For SHA1 you need security 0 aka tls-cert-profile insecure.
But we might update OpenVPN to longer fiddle with the default security
level in OpenSSL 3+ to avoid downgrading security from 2 to 1 on OpenSSL 3.1
Arne
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
