Ever since we support TLS 1.2 (OpenVPN 2.3.3+), the RSA_SIGN might not
only request MD5-SHA1 'TLS signatures', but also other variants.
Document this by updating the implementation hints, and explicitly
stating that we expect a PKCS#1 1.5 signature.

Trac: #764

Signed-off-by: Steffan Karger <stef...@karger.me>
 doc/management-notes.txt | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/doc/management-notes.txt b/doc/management-notes.txt
index dd870eb..29c3aad 100644
--- a/doc/management-notes.txt
+++ b/doc/management-notes.txt
@@ -773,8 +773,9 @@ via a notification as follows:
-The management interface client should then sign BASE64_DATA
-using the private key and return the SSL signature as follows:
+The management interface client should then create a PKCS#1 v1.5 signature of
+the (decoded) BASE64_DATA using the private key and return the SSL signature as
@@ -783,8 +784,8 @@ rsa-sig
-Base64 encoded output of RSA_sign(NID_md5_sha1,... will provide a
-correct signature.
+Base64 encoded output of RSA_private_encrypt() (OpenSSL) or mbedtls_pk_sign()
+(mbed TLS) will provide a correct signature.
 This capability is intended to allow the use of arbitrary cryptographic
 service providers with OpenVPN via the management interface.

Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
Openvpn-devel mailing list

Reply via email to