> > We can treat management-external key as special and optionally > provide the digest to sign. OpenSSL 3.0 with provider always seem to > call DigestSign and never Sign directly so we have the info. > > > Turns out to be easier than I thought. I have added a patch to > optionally send the undigested message to the management client. > Indicate support for digesting operation in --management-external-key > and you get the message to sign with data=message
That is great. I tested it and TLS 1.3 is working nicely with "SHA256withRSA/PSS" on the java side. So that is great. But then it went downhill from that with things unrelated to the xkey provider. I wanted to see if it works with TLS 1.1 (ie.. forcing a pkcs1 signature) and found out tls-version-max no longer work on OpenSSL 3.0 nor on my Ubuntu 20 with OpenSSL 1.1. I decided then to replace SSLv23_client_method with TLS11_client_method, which ended with an internal SSL error in my client. So instead I tried to see tls-version-max still works with mbed TLS only to discover that my OpenSSL 3.0 client does not connect to my mbed TLS at all and instead the server says "TLS_ERROR: read tls_read_plaintext error: SSL - Bad input parameters to function" (Ubuntu 20/mbed TLS 2.16.0). Switching the app back to OpenSSL 1.1.1l still works. Then tested again with OpenSSL 3.0 but forgot to reenable HAVE_XKEY_PROVIDER and now the RSA_method/EC_method works but I was fairly sure that it didn't before. Maybe there is some obscure side effect from your branch or I misremembered before ... But for some reason having the HAVE_XKEY_PROVIDER define enabled breaks connecting to an mbed TLS 2.16 server. I can also reproduce that with my a version on my mac. > > See the commit message. It's > in https://github.com/selvanair/openvpn/tree/xkey-provider-v3 > <https://github.com/selvanair/openvpn/tree/xkey-provider-v3> (only > compile tested). > > Selva > PS. I'm supposed to be holidaying, but basking in LCD glow instead of sun.. Hehe, and I am supposed to be sleeping but instead I am testing some obscure software part that is even hard to explain to other IT (non crypto) people what it does .... _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
