Hi, On 13/11/17 00:36, Steffan Karger wrote: > From: Steffan Karger <steffan.kar...@fox-it.com> > > This allows the user to specify what certificate crypto algorithms to > support. The supported profiles are 'preferred', 'legacy' (default) and > 'suiteb', as discussed in <84590a17-1c48-9df2-c48e-4160750b2...@fox-it.com> > (https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14214.html). > > This fully implements the feature for mbed TLS builds, because for mbed it > is both more easy to implement and the most relevant because mbed TLS 2+ > is by default somewhat restrictive by requiring 2048-bit+ for RSA keys. > > For OpenSSL, this implements an approximation based on security levels, as > discussed at the hackathon in Karlsruhe. > > This patch uses 'legacy' as the default profile following discussion on > the openvpn-devel mailing list. This way this patch can be applied to > both the release/2.4 and master branches. I'll send a follow-up patch for > the master branch to change the default to 'preferred' later. > > Signed-off-by: Steffan Karger <steffan.kar...@fox-it.com>
Code looks good, but the commit subject is now wrong, because this patch is actually implementing cert profiles for both mbedTLS and OpenSSL. So I ACK it, but the committer should fix the subject for sake of clarity. I have tested the patch with mbedTLS and with OpenSSL 1.0, but not with OpenSSL 1.1. Acked-by: Antonio Quartulli <a...@unstable.cc> -- Antonio Quartulli
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
