Hi,
On 26-06-17 13:44, Christian Hesse wrote:
> Arne Schwabe on Mon, 2017/06/26 13:13:
>> OpenSSL 1.1 does not allow MD5 signed certificates by default anymore. This
>> can be enabled again by settings tls-cipher "DEFAULT:@SECLEVEL=0" but only
>> if the cipher list is set before loading the certi
On 26/06/17 16:00, Arne Schwabe wrote:
[...snip...]
>>
>> Currently there is an agreement of the following profiles:
>>
>> - legacy: SHA1 and newer, RSA 2048-bit+, any elliptic curve.
>> - preferred: SHA2 and newer, RSA 2048-bit+, any elliptic curve.
>>(default in v2.5)
>> - s
>>>
>>> See this also a bugfix. Since tls-cipher options affect certificate
>>> loading, it is good to set it before certificate loading. E.g. you might
>>> want to use @SECLEVEL=5 to only allow loading of SHA256 based certificates.
> Oh, btw ... We need to align this with another patch-set from S
On 26/06/17 15:21, David Sommerseth wrote:
> On 26/06/17 14:12, Arne Schwabe wrote:
>> Am 26.06.17 um 13:51 schrieb David Sommerseth:
>>> On 26/06/17 13:13, Arne Schwabe wrote:
OpenSSL 1.1 does not allow MD5 signed certificates by default anymore.
This can be enabled again by settings tl
On 26/06/17 14:12, Arne Schwabe wrote:
> Am 26.06.17 um 13:51 schrieb David Sommerseth:
>> On 26/06/17 13:13, Arne Schwabe wrote:
>>> OpenSSL 1.1 does not allow MD5 signed certificates by default anymore. This
>>> can be enabled again by settings tls-cipher "DEFAULT:@SECLEVEL=0" but only
>>> if t
Am 26.06.17 um 13:51 schrieb David Sommerseth:
> On 26/06/17 13:13, Arne Schwabe wrote:
>> OpenSSL 1.1 does not allow MD5 signed certificates by default anymore. This
>> can be enabled again by settings tls-cipher "DEFAULT:@SECLEVEL=0" but only
>> if the cipher list is set before loading the cert
Arne Schwabe on Mon, 2017/06/26 13:13:
> OpenSSL 1.1 does not allow MD5 signed certificates by default anymore. This
> can be enabled again by settings tls-cipher "DEFAULT:@SECLEVEL=0" but only
> if the cipher list is set before loading the certificates. This patch
> changes the order of loading.
On 26/06/17 13:13, Arne Schwabe wrote:
> OpenSSL 1.1 does not allow MD5 signed certificates by default anymore. This
> can be enabled again by settings tls-cipher "DEFAULT:@SECLEVEL=0" but only if
> the cipher list is set before loading the certificates. This patch changes
> the order of loading
OpenSSL 1.1 does not allow MD5 signed certificates by default anymore. This can
be enabled again by settings tls-cipher "DEFAULT:@SECLEVEL=0" but only if the
cipher list is set before loading the certificates. This patch changes the
order of loading.
---
src/openvpn/ssl.c | 8 +---
1 file c