Forgot copy this to the list -- sending again On Mon, Sep 23, 2019 at 6:19 AM Arne Schwabe <a...@rfc2549.org> wrote: > > Am 20.09.19 um 22:55 schrieb Selva Nair: > > Hi, > > > > Reviving this thread/patch as now users are running into this padding > > issue (trac 1216 <https://community.openvpn.net/openvpn/ticket/1216>). > > > > IIRC, we more-or-less agreed upon adding an argument (nopadding, pss etc..) > > to >PK_SIGN for new clients and erroring out with old clients that > > cannot sign with PSS padding. > > > > Selva > > > Yeah. > > We did not really to a conclusion if we wanted backwards compatibility > or not. Since it seems that OpenSSL 1.1.1 requires the management-client > to understand the new way of signatures anyway, I would say we require > the management client to be able to understand the signature in any case. > > I think the missing bit of piece for the patch is if we want to error > out early if we detect a config that *might* not work (the nopadding > argument or any other argument to the management-external-key) or if we > do not error at this point and fail then when we actually require PSS > signature. I am more for the first version because otherwise you end up > with configurations that work fine until the server is upgraded to > OpenSSL 1.1.1 and then the client stops working without anything being > change (yes I realise that is already the case at the moment)
Well, I can live with that --- at least we'll be able to tell the users to update their client to get the signature request, which is not the case now. Selva _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel