Forgot copy this to the list -- sending again

On Mon, Sep 23, 2019 at 6:19 AM Arne Schwabe <> wrote:
> Am 20.09.19 um 22:55 schrieb Selva Nair:
> > Hi,
> >
> > Reviving this thread/patch as now users are running into this padding
> > issue (trac 1216 <>).
> >
> > IIRC, we more-or-less agreed upon adding an argument (nopadding, pss etc..)
> > to >PK_SIGN for new clients and erroring out with old clients that
> > cannot sign with PSS padding.
> >
> > Selva
> >
> Yeah.
> We did not really to a conclusion if we wanted backwards compatibility
> or not. Since it seems that OpenSSL 1.1.1 requires the management-client
> to understand the new way of signatures anyway, I would say we require
> the management client to be able to understand the signature in any case.
> I think the missing bit of piece for the patch is if we want to error
> out early if we detect a config that *might* not work (the nopadding
> argument or any other argument to the management-external-key) or if we
> do not error at this point and fail then when we actually require PSS
> signature. I am more for the first version because otherwise you end up
> with configurations that work fine until the server is upgraded to
> OpenSSL 1.1.1 and then the client stops working without anything being
> change (yes I realise that is already the case at the moment)

Well, I can live with that ---  at least we'll be able to tell the
users to update their client to get the signature request, which
is not the case now.


Openvpn-devel mailing list

Reply via email to