Am 20.09.19 um 22:55 schrieb Selva Nair:
> Hi,
> Reviving this thread/patch as now users are running into this padding
> issue (trac 1216 <>).
> IIRC, we more-or-less agreed upon adding an argument (nopadding, pss etc..)
> to >PK_SIGN for new clients and erroring out with old clients that
> cannot sign with PSS padding.
> Selva

We did not really to a conclusion if we wanted backwards compatibility
or not. Since it seems that OpenSSL 1.1.1 requires the management-client
to understand the new way of signatures anyway, I would say we require
the management client to be able to understand the signature in any case.

I think the missing bit of piece for the patch is if we want to error
out early if we detect a config that *might* not work (the nopadding
argument or any other argument to the management-external-key) or if we
do not error at this point and fail then when we actually require PSS
signature. I am more for the first version because otherwise you end up
with configurations that work fine until the server is upgraded to
OpenSSL 1.1.1 and then the client stops working without anything being
change (yes I realise that is already the case at the moment)


Openvpn-devel mailing list

Reply via email to