On 17/10/2025 11:26, Gert Doering wrote: > Hi, > > On Fri, Oct 17, 2025 at 11:19:48AM +0200, Simon Matter wrote: >> Looks like "update-crypto-policies --set LEGACY" did the trick to make it >> work. Ar least this makes the errors go away in a test setup. I'll soon do >> it on a production system. > > Ah, Redhat... "why should we leave decisions to software when we can > annoy everbody with a global setting". > > (I'm not exactly sure how these crypto policies work, but they seem to > override the application's request to get "--tls-cert-profile insecure") > > thanks for reporting back the solution ;-)
For the RPM packaging in Fedora, EPEL and Copr repos, we apply a patch which is required [2]. [1] <https://src.fedoraproject.org/rpms/openvpn/blob/rawhide/f/fedora-crypto-policy-compliance.patch> [2] <https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/> The goal here is to have a system-wide setting for enforcing a stricter crypto settings. This has ties to requirements from enterprise customers of RHEL, where there has been request to centrally manage this. And that's happening by pushing out settings to files in /etc/crypto-policies/, via whatever tools the enterprise prefer (ansible, puppet, chef, etc). Since Fedora is the "development branch" of RHEL, that's how those are related. These crypto policies covers everything across multiple SSL/TLS libraries (openssl, nss, gnutls) as well as many security relevant services and software stacks (krb5, java, libreswan, openssh, libssh). The OpenSSL settings for the DEFAULT profile is: # cat /usr/share/crypto-policies/DEFAULT/openssl.txt @SECLEVEL=2:kEECDH:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-kRSA \ :-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL \ :!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 -- kind regards, David Sommerseth OpenVPN Inc _______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users
