Hi, A thought: why not split this patch into two:
(i) extend PK_SIGN to optionally signal ALG (signalled only if client_version > 2). Include all the changes to rsa_priv_enc() etc to to handle PSS sign requests from OpenSSL 1.1.1. If client version is <= 2 continue to use PK_SIGN as before provided the signature required is PKCS1 for RSA or ECDSA. Else error out manage.c. This ensures backward compat to the extent possible. (ii) Amend management-external-key to take an additional option and do whatever one can do with it for an early error report. Anyway, my suggestion is not even bother with (ii) but this way we can quickly get (i) finalized. Unless you already decided to drop (ii) :) Only downside (or upside depending on your pov) to this is once (i) is merged in we will start including ALG in PK_SIGN for new clients (version 3+) so if merging (ii), that should happen before a subsequent release. Selva
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel