Hi, On Thu, Apr 15, 2021 at 1:46 PM mike tancsa <m...@sentex.net> wrote: > > On 4/14/2021 8:23 PM, Selva Nair wrote: > > > > You can restrict TLS version using th eoption --tls-version-min in > > OpenVPN config file, but restricting to TLS 1.2 is not enough with > > OpenSSL 1.1.1. It defaults to PSS for both TLS 1.2 and 1.3. > > > > Rather than building your own OpenSSL, a much simpler option would be > > to make an openssl.cnf file and restrict signature algorithms. See my > > comment on the trac > > ticket link I posted in my previous reply. > > > Thanks, still no luck just yet getting things to work using the .cnf > file. Not sure why its not picking up the pointer properly. I will > keep trying.
You can privately email me the OpenSSL config file you are using, and I can take a look. > > > > Another thing I am not clear on, is where the cert signature type is set > / required. I am guessing the entire chain needs to be at least SHA256 > right ? PKI's CA CRT, CSR, signed CRT ? We are referring to the signature algorithm set in the ClientHello during TLS handshake. OpenSSL 1.1.1 will include rsa_pss_pss_sha256 and similar as a supported algorithms in the signature_algorithms extension of clientHello. This is true even if you choose TLS 1.2. The idea of editing OpenSSL.cnf is to remove PSS schemes from that list. > > Also, I was playing around creating a default CA from scratch using > easy-rsa. It by default generates a CA cert as so Recreating certificates will not make any difference. Selva _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
