> > > > (ii) tls version max is set 1.2 and openssl 1.1.1 is in use both on > > server and client. > > PSS signing will get negotiated but we will not error out early as TLS > > 1.3 is not in use. > > > > That's why I say that this extension of management-external-key is > not worth it. > > > > Am I missing something? > > > > tls_version_max will still report TLS 1.3 as it not affected by the > version set in config but really the max the library is capable of > irrespectable tls min/max version. > > > Aha, I missed that. Still I really do not understand the need for > erroring here > instead of when prompting for PK_SIGN based on client version. > Much simpler.
It did this because my initial OpenSSL 1.1.1 client did not have any problem, only after I upgraded the server to 1.1.1. I want to avoid the situation that OpenSSL 1.1.1 is used and then just "breaks for no reason" and erroring out early and tell the "This will not really work" is a better approach. Arne
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel