Re: [Openvpn-devel] pkcs11 config changes from 2.5.4 to 2.6.6 ?

On 9/28/2023 9:55 PM, Selva Nair wrote: Hi Mike I misunderstood Arne's comment. We default to security level 1 but that forbids SHA1 signatures in OpenSSL 3.0+. Could you test with "tls-cert-profile Insecure" in the config file? It's not recommended but useful to check. Thanks! That

Re: [Openvpn-devel] pkcs11 config changes from 2.5.4 to 2.6.6 ?

Hi Selva,     Thank you for looking! My guess is that something in the certificate or private key is not to OpenSSL 3.1's liking and it rejects it. Is there any way for you to check the contents of the token independently using a tool linked against OpenSSL 3.1 ? What am I looking for in

[Openvpn-devel] pkcs11 config changes from 2.5.4 to 2.6.6 ?

I am starting to test out 2.6.6 with a config that worked in 2.5.4 but am getting a failure con connect.  I did have a look through the Changes.rst file but didnt see anything different ? The only pkcs11 bits I have in the config are pkcs11-providers eTpkcs11.dll pkcs11-id

Re: [Openvpn-devel] Adding RSA-PSS support in pkcs11-helper

Hi,     Thanks, I finally got around to testing this with the current version of OpenVPN from git and it works great on my Aladin/SafeNet/Gemalto/Thales token (model 510x) Would be great if this was part of the default build/distribution. I can now get TLS1.3 working using the pkcs11 interface.

Re: [Openvpn-devel] [PATCH v2] Allow PKCS#11 uri to be used as --cert and --key file names

That would be VERY handy to have for our use case     ---Mike On 7/27/2021 10:56 AM, Selva Nair wrote: > > It seems no one is interested in this to elicit a review.. I thought > this would be a nifty feature ;) > > On Sun, May 9, 2021 at 9:32 PM > wrote: > >

Re: [Openvpn-devel] [Openvpn-users] FreeBSD+cryptodev testers wanted

On 3/31/2015 10:30 AM, Mike Tancsa wrote: On 3/31/2015 10:23 AM, Gert Doering wrote: Hi, On Tue, Mar 31, 2015 at 09:39:46AM -0400, Mike Tancsa wrote: I am not able to reproduce this. You need to use --daemon to make openvpn fork(). Otherwise, it will "just work", but aft

Re: [Openvpn-devel] [Openvpn-users] FreeBSD+cryptodev testers wanted

On 3/31/2015 10:23 AM, Gert Doering wrote: Hi, On Tue, Mar 31, 2015 at 09:39:46AM -0400, Mike Tancsa wrote: I am not able to reproduce this. You need to use --daemon to make openvpn fork(). Otherwise, it will "just work", but after forking, the cryptodev file descriptor is no lo

[Openvpn-devel] new OpenSSL Security Advisories

Has anyone had a chance to evaluate the latest security issues and how they might impact OpenVPN ? https://www.openssl.org/news/secadv_20140806.txt -- --- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, m...@sentex.net Providing Internet services since 1994

[Openvpn-devel] latest OpenSSL security advisories

A few more vulnerabilities it would seem. Can anyone shed light on how this impacts OpenVPN ? http://www.openssl.org/news/secadv_20140605.txt Does OpenVPN make use of DTLS ? or SSL_MODE_RELEASE_BUFFERS ? ---Mike -- --- Mike Tancsa, tel +1 519 651 3400 Sentex

Re: [Openvpn-devel] Heartbleed

On 4/8/2014 10:13 AM, Steffan Karger wrote: On 08/04/2014 16:04, Mike Tancsa wrote: How does one attack the client ? In my case, the client only connects to my servers ? I use a tls-auth key file as well. If I understand correctly, the scenario would be the attacker would have to have the tls

Re: [Openvpn-devel] Heartbleed

to pretend its the server's IP, and then coax the client into allocating the 64k block of memory as described in the above link ? ---Mike -- --- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, m...@sentex.net Providing Internet services since 1994 www.sentex.net

Re: [Openvpn-devel] Easy-RSA v3 release planning

; platform dependent. Thanks! I will give this a try over the holidays. I do have the drivers and client software for Windows. I just was never able to get a cert generated under windows ---Mike -- --- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, m...@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/

Re: [Openvpn-devel] [PATCH] Fix --show-pkcs11-ids

PENSSL_URL="${OPENSSL_URL:-http://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz}; and that builds the latest release. ---Mike -- --- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, m...@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/

Re: [Openvpn-devel] [PATCH] Fix --show-pkcs11-ids

On 1/16/2013 6:06 PM, David Sommerseth wrote: > On 16/01/13 23:11, Mike Tancsa wrote: > > $ git tag --contains fd02ae905df21e1119fb63521e7ff773d6f812dc > v2.3.0 v2.3_rc2 > > > However, it seems that the generic build tool needs some more > tweaking to grab the packag

Re: [Openvpn-devel] [PATCH] Fix --show-pkcs11-ids

ling list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel > > -- --- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, m...@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/