Hi On Thu, Jan 31, 2019 at 11:40 AM Gert Doering <g...@greenie.muc.de> wrote:
> Hi, > > I have changed the Subject: and started a new thread, so that this > isn't lost in the discussion specific to commit ce1c1beef1eb. > > On Thu, Jan 31, 2019 at 11:28:52AM -0500, Selva Nair wrote: > > So now the question -- do we want to support Windows builds with OpenSSL > > 1.1.1 in 2.4? > > Basically, we already do. > > Could you summarize what is current not working right in 2.4 + 1.1.1, > and which patches we need to make it work? > > I admit I have lost track (many many patches related to TLS 1.3... some > bring new features, some bugfixes) and could imagine everyone else being > in the same boat. Maybe except Arne ;-) > OpenSSL 1.1.1 prefers pss padding even for TLS 1.2 so when both client and server are linked against 1.1.1 and cryptoapicert is in use we need the last two commits: 1. commit 0cab3475a83e9bad35b0eeb39b9ca886e6afaf1e Move OpenSSL vs CNG signature digest type mapping to a function 2. commit ce1c1beef1eb9ea776e00861117f72c4a1a6f1f8 Handle PSS padding in cryptoapicert It may take a little more work than cherry-pick + conflict resolve for these as cryptoapi.c in master has diverged from 2.4 due to EC key support in the former. Apart from that, management-external-[cert|key] requires a way to signal pss or "none" padding -- Arne's patch on that is pending review or revision, I forget. But that's not specific to Windows. Selva
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel