> > > > > Good point. But, unless the config has "tls-cert-profile foo", we still > > default to legacy and call SSL_CTX_set_security_level(ctx, 1), isn't it? > > Wouldn't that allow SHA1 with 3.1.x ? > > For SHA1 you need security 0 aka tls-cert-profile insecure. > > But we might update OpenVPN to longer fiddle with the default security > level in OpenSSL 3+ to avoid downgrading security from 2 to 1 on OpenSSL > 3.1 >
Even OpenSSL 3.0 is built with -DOPENSSL_TLS_SECURITY_LEVEL=2 in Debian and Ubuntu packages (and likely other distributions). Looks like a good idea to stop overriding it by default. We could also improve logging when SSL_CTX_set_certificate and similar fail by printing OpenSSL error queue. Selva
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel