On 26/06/17 14:12, Arne Schwabe wrote: > Am 26.06.17 um 13:51 schrieb David Sommerseth: >> On 26/06/17 13:13, Arne Schwabe wrote: >>> OpenSSL 1.1 does not allow MD5 signed certificates by default anymore. This >>> can be enabled again by settings tls-cipher "DEFAULT:@SECLEVEL=0" but only >>> if the cipher list is set before loading the certificates. This patch >>> changes the order of loading. >> >> I'm not fully convinced of the argumentation for this feature - unless >> something have changed in OpenSSL 1.1. I believe the same can be >> achieved by setting an environment variable before starting OpenVPN. >> >> $ OPENSSL_ENABLE_MD5_VERIFY=1 /usr/sbin/openvpn .... >> >> I know several Fedora users have deployed this, even when systemd is >> involved. This is needed on systems with OpenSSL 1.0 as well when they >> connect to a server having an MD5 based certificate or signed by a CA >> with an MD5 based certificate. >> >> So unless OpenSSL 1.1 have changed this behaviour from OpenSSL 1.0, I'm >> not really convinced we need this. >> >> > > See this also a bugfix. Since tls-cipher options affect certificate > loading, it is good to set it before certificate loading. E.g. you might > want to use @SECLEVEL=5 to only allow loading of SHA256 based certificates. > > Also I think your option is Fedora specific as I could not find anything > in the source code in my OSSL copy and the message also mentions it > being Fedora specific: > > ** WARNING ** [Fedora modification] MD5 certificate hash re-enabled via > OPENSSL_ENABLE_MD5_VERIFY environment variable.
Nope, that is actually a warning I added in one of the earlier mbed TLS builds for Fedora. That patch have been removed again, as I moved back to compat-openssl10 when compat-openssl10-pkcs11-helper became available. The patch which adds that warning is a workaround so that uses already having deployed MD5 support when they used OpenSSL ... so we needed to ensure users did have this feature enabled. So instead of requiring users to define MBEDTLS_ENABLE_MD5_VERIFY, I re-used the OPENSSL_ENABLE_MD5_VERIFY variable name. And complained about it in the logs. But I'm actually a bit fascinated you found a Fedora build with that warning. IIRC, that build was from a scratch build, testing out this issue - used by a user which got into troubles during the mbed TLS based builds in Fedora 26 (not yet released) and Fedora Rawhide. With openvpn-2.4.2-1, I switched back to OpenSSL. As of the next Fedora 26 openvpn build, I will move further forward to OpenSSL 1.1 instead of compat-openssl10. Fedora Rawhide is already on openssl-1.1. -- kind regards, David Sommerseth OpenVPN Technologies, Inc
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
