Re: [Openvpn-users] Compatibility from openvpn 2.4 to 2.7

Mon, 20 Oct 2025 05:12:41 -0700 

On 20/10/2025 14:03, David Sommerseth via Openvpn-users wrote:
> On 17/10/2025 11:26, Gert Doering wrote:
>> Hi,
>>
>> On Fri, Oct 17, 2025 at 11:19:48AM +0200, Simon Matter wrote:
>>> Looks like "update-crypto-policies --set LEGACY" did the trick to make it
>>> work. Ar least this makes the errors go away in a test setup. I'll soon do
>>> it on a production system.
>>
>> Ah, Redhat...  "why should we leave decisions to software when we can
>> annoy everbody with a global setting".
>>
>> (I'm not exactly sure how these crypto policies work, but they seem to
>> override the application's request to get "--tls-cert-profile insecure")
>>
>> thanks for reporting back the solution ;-)
> 
> For the RPM packaging in Fedora, EPEL and Copr repos, we apply a patch
> which is required [2].
> 
> [1]
> <https://src.fedoraproject.org/rpms/openvpn/blob/rawhide/f/fedora-crypto-policy-compliance.patch>
> [2]
> <https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/>
> 
> The goal here is to have a system-wide setting for enforcing a stricter
> crypto settings.  This has ties to requirements from enterprise
> customers of RHEL, where there has been request to centrally manage
> this.  And that's happening by pushing out settings to files in
> /etc/crypto-policies/, via whatever tools the enterprise prefer
> (ansible, puppet, chef, etc).  Since Fedora is the "development branch"
> of RHEL, that's how those are related.
> 
> These crypto policies covers everything across multiple SSL/TLS
> libraries (openssl, nss, gnutls) as well as many security relevant
> services and software stacks (krb5, java, libreswan, openssh, libssh).
> 
> The OpenSSL settings for the DEFAULT profile is:
> 
> # cat /usr/share/crypto-policies/DEFAULT/openssl.txt
> @SECLEVEL=2:kEECDH:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-kRSA \
>     :-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL    \
>     :!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8

JFTR, the LEGACY profile for OpenSSL is:

# cat /usr/share/crypto-policies/LEGACY/openssl.txt
@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK \
    :-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL   \
    :!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8

The difference is the addition of `kRSA` in the LEGACY profile.


-- 
kind regards,

David Sommerseth
OpenVPN Inc



_______________________________________________
Openvpn-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to