On 13-04-17 15:09, David Sommerseth wrote: > I'm however a bit puzzled of the "non-changes" (well, the indenting is > changing, unless I'm blind to other changes) to --remote-cert-cu, > --remote-cert-tls and --ns-cert-type. If we want to change the > indenting, I think that should be kept in a separate patch, and keep > --tls-cert-profile as a patch of its own.
Ah, indeed. The indenting change is needed to make Github parse the rst correctly. Feel free to remove the indenting changes and I'll send a follow-up patch doing just that. > On a more generic note to this patch. I wonder if we should keep > "legacy" the default in the v2.4 branch. In the Fedora 26 (and > Rawhide/27) builds I had to do something similar [1] to keep users > happy. As OpenVPN isn't ready for OpenSSL v1.1, I had to switch to mbed > TLS. Unfortunately that haven't been as successful as I really hoped it > would be, but that's an entirely different story (and mail thread). As > long as the Fedora builds need to be built with mbed TLS, I will need to > ensure 'legacy' is the default there for a while. For the coming Fedora > Rawhide (which will be F28), I can make some announcements preparing > users to move to stricter defaults. > > [1] > <http://pkgs.fedoraproject.org/cgit/rpms/openvpn.git/tree/0001-workaround-Allow-weaker-RSA-keys-and-MD-algorithms-i.patch?h=f26> The current mbed TLS builds already reject legacy crypto (except the fedora packaged build, apparently). With this patch users have the ability to use legacy stuff again, but I would prefer to not go any further than that. I think we should encourage people to drop the legacy. Just like the browser vendors are doing. And for Fedora, they chose to experience intense pain when they chose to go for OpenSSL 1.1 this fast, that's their problem I guess... If they want to be that cutting edge, they should also stop using legacy crypto. And otherwise, it will be a simple patch in the fedora packaging. -Steffan
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
