Am 30.07.2024 um 19:00 schrieb Eric Toombs via Openvpn-devel:
From: Eric Toombs <n...@public.tld>
We prefer real email addresses in our commits.
I switched the curve to ed25519, a generally more trustworthy curve and the default in openssh. As a bonus, it *really* simplifies what is already a complicated command. The old command wouldn't even run in all shells because it used process substitution. 'nodes' is deprecated in favour of 'noenc', so I switched that too.
While ed25519 might have its advantages, its usage in X509 certificates is really really uncommon. I have seen more brainpoool usages in the wild than ed25519. It is also not allowed on hosts that use FIPS settings and also older OpenVPN clients/OpenSSL clients might not support it. Also in contrast to secp384r1, I know absolutely no secure certficate store that supports it (Android Keystore, YubiKey and so on all support secp384r1 but there is no ed25519 support). So I don't think we are at the point where we want to recommend in an easy-to-setup guide a group/curve that is a lot less supported to the basically universially supported secp384r1.
So for the purpose of this guide, I think secp384r1 is a much better choice compared to ed25519.
Arne _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
