Hi, On 26-06-17 16:32, Arne Schwabe wrote: > Am 14.04.17 um 17:40 schrieb Steffan Karger: >> This allows the user to specify what certificate crypto algorithms to >> support. The supported profiles are 'preferred' (default), 'legacy' and >> 'suiteb', as discussed in <84590a17-1c48-9df2-c48e-4160750b2...@fox-it.com> >> (https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14214.html). >> >> This only implements the feature for mbed TLS builds, because for mbed it >> is both more easy to implement and the most relevant because mbed TLS 2+ >> is by default somewhat restrictive by requiring 2048-bit+ for RSA keys. >> > > ACK so far as the code goes. As for the whole MD5 stuff is at the moment > blowing up with OSSL 1.1, we need a md5 allowing option (with a fat > warning probably).
To be honest, I think we shouldn't do anything to allow MD5. The first set of certificates with colliding MD5 digests was demonstrated in 2005! We should really stop supporting broken setups and just tell people to move to SHA2. > And the other thing is that OpenSSL has a similar feature in 1.1: > Security levels. Which can be specified as part of tls-cipher or set > independently by > https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_security_level.html > > The levels are similar to the proposed level here but not identical. > Should we somehow align these two features? Configuring it for one > library in tls-cipher and for the other in tls-cert-profile is bit strange. Yeah, I'll look into the callbacks they mention, to see if we can easily align both libraries. Would be nice. > Also shouldn't be tls-min-version included in the preferred/legacy options? Hm, for now we explicitly chose --tls-cert-profile, which is separate from --tls-verion-min, such that people can still easily upgrade the one even if the other is keeping them back (e.g. due to a non-cooperating CA, or smart card). -Steffan ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
