Am 14.04.17 um 17:40 schrieb Steffan Karger: > This allows the user to specify what certificate crypto algorithms to > support. The supported profiles are 'preferred' (default), 'legacy' and > 'suiteb', as discussed in <84590a17-1c48-9df2-c48e-4160750b2...@fox-it.com> > (https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14214.html). > > This only implements the feature for mbed TLS builds, because for mbed it > is both more easy to implement and the most relevant because mbed TLS 2+ > is by default somewhat restrictive by requiring 2048-bit+ for RSA keys. >
ACK so far as the code goes. As for the whole MD5 stuff is at the moment blowing up with OSSL 1.1, we need a md5 allowing option (with a fat warning probably). And the other thing is that OpenSSL has a similar feature in 1.1: Security levels. Which can be specified as part of tls-cipher or set independently by https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_security_level.html The levels are similar to the proposed level here but not identical. Should we somehow align these two features? Configuring it for one library in tls-cipher and for the other in tls-cert-profile is bit strange. Also shouldn't be tls-min-version included in the preferred/legacy options? And suiteb would be tls-cipher SUITEB128 in OpenSSL Arne ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
