From: Selva Nair
When username-as-common-name is in effect, the common_name
is "CN" from the certificate for auth-user-pass-verify. It gets
changed to "username" after successful authentication. This
changed value gets into the env when client-connect script is
called.
However, "common_name" goe
From: Selva Nair
When username-as-common-name is in effect, the common_name
is "CN" from the certificate for auth-user-pass-verify. It gets
changed to "username" after successful authentication. This
changed value gets into the env when client-connect script is
called.
However, "common_name" goe
Hi
No. I am actually against loading legacy on demand or loading the
> default provider if --provider is not specified. Often there are system
> wide security defaults in place and I don't think OpenVPN should
> override them unless explicitly instructed to do so.
>
Okay, that adds some clarity :
Looks reasonable, passes client side tests (with 1.1.1 only, lazy) :-)
It might bite up for NTLM (as I see it's used there as well, and that
is the only place where we really continue to need DES). Seems I need
to set up a NTLM proxy auth environment to test this...
Your patch has been applied t
On 19/10/2021 20:31, Arne Schwabe wrote:
This code mainly sets the parity bits in the DES keys. As mbed TLS and
OpenSSL already ignore these bits in the DES key and since DES is
deprecated, remove this special DES code that is not even needed by
the libraries.
Signed-off-by: Arne Schwabe
Acke
>
> IMO, this idea that OpenSSL folks have that just adding a "fips=yes"
> plus a few lines in the config can make the application FIPS enabled is
> far-fetched. In reality OpenVPN will have to be recompiled with some
> changes to make it FIPS compliant. At that point one can also change
> what pr
