Hi, On Sun, Dec 18, 2016 at 05:40:55PM +0100, Steffan Karger wrote: > Our internal options digest uses MD5 hashes to store the state, instead of > storing the full options string. There's nothing wrong with that, but it > would still be better to use SHA256 because: > * That makes it easier to make OpenVPN "FIPS-compliant" (forbids MD5) > * We don't have to explain anymore that MD5 is fine too > > The slightly less bytes for the digest (16 instead of 32) and operations > per connection setup are not worth sticking to MD5.
I can't find very clear information on "which versions of OpenSSL do
support sha256", but since we have a trac ticket about our windows
builds having issues with sha256 certificates we might take this
opportunity to revisit minimum OpenSSL versions supported in master
from now on...
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany [email protected]
fax: +49-89-35655025 [email protected]
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
