[Openvpn-devel] [M] Change in openvpn[master]: Switch test_ssl certificate from RSA 2048 to secp384r1

Mon, 08 Sep 2025 12:51:27 -0700 

Attention is currently required from: flichtenheld, plaisthos.

mandree has posted comments on this change. ( 
http://gerrit.openvpn.net/c/openvpn/+/1172?usp=email )

Change subject: Switch test_ssl certificate from RSA 2048 to secp384r1
......................................................................


Patch Set 2: Code-Review+1

(1 comment)

Patchset:

PS2:
On my FreeBSD 14.3-RELEASE-p2 amd64, with OpenSSL 3.5 installed from ports,
the self-test suite, in particular ssl_testdriver, now passes with openssl.cnf
raising the ciphersuite to SECLEVEL=3 or SECLEVEL=4, but SECLEVEL=5 still bombs 
out
with "ee key too small". So: ACK because it's an improvement.

Not sure if the purpose of the test is "test that our own TLS stuff works",
or by contrast "test that the system's default OpenSSL setting works".
  In the former case, it might be suitable to ship an openssl.cnf for the test
that gets us a defined environment, or maybe run the test twice once with system
default settings and once with an override to see if _todays_ zealous SECLEVEL 
is it.

Of course the operating system or OpenSSL distro might kill our favorite cipher 
altogether, in which case we're dead unless we override - but then the isolated
test case bears no relevance for practical applicability of its results.



--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1172?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I327ecc9a85dd906517c28e71fe500883bfa028a4
Gerrit-Change-Number: 1172
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos <arne-open...@rfc2549.org>
Gerrit-Reviewer: flichtenheld <fr...@lichtenheld.com>
Gerrit-Reviewer: mandree <matthias.and...@gmx.de>
Gerrit-CC: openvpn-devel <openvpn-devel@lists.sourceforge.net>
Gerrit-Attention: plaisthos <arne-open...@rfc2549.org>
Gerrit-Attention: flichtenheld <fr...@lichtenheld.com>
Gerrit-Comment-Date: Mon, 08 Sep 2025 18:15:43 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
Gerrit-MessageType: comment

_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel






















					Reply via email to