Re: [Openvpn-devel] pkcs11 config changes from 2.5.4 to 2.6.6 ?

2023-09-29 Thread Selva Nair
> > > > > Good point. But, unless the config has "tls-cert-profile foo", we still > > default to legacy and call SSL_CTX_set_security_level(ctx, 1), isn't it? > > Wouldn't that allow SHA1 with 3.1.x ? > > For SHA1 you need security 0 aka tls-cert-profile insecure. > > But we might update OpenVPN to

Re: [Openvpn-devel] pkcs11 config changes from 2.5.4 to 2.6.6 ?

2023-09-29 Thread mike tancsa
On 9/28/2023 9:55 PM, Selva Nair wrote: Hi Mike I misunderstood Arne's comment. We default to security level 1 but that forbids SHA1 signatures in OpenSSL 3.0+. Could you test with "tls-cert-profile Insecure" in the config file? It's not recommended but useful to check. Thanks! That allows

Re: [Openvpn-devel] pkcs11 config changes from 2.5.4 to 2.6.6 ?

2023-09-29 Thread Arne Schwabe
Am 29.09.23 um 03:25 schrieb Selva Nair: On Thu, Sep 28, 2023 at 8:55 PM Arne Schwabe > wrote: Am 29.09.2023 um 01:08 schrieb mike tancsa: Hi Selva,     Thank you for looking! My guess is that something in the certificate or private key is n