Hi Here is an update on this patch set to keep all in the loop.
Arne discovered that my patch broke ECDH key exchange in some cases. This turns out to be due to the way providers are handled in OpenSSL especially when used in a TLS context. It leads to the requirement that an external provider has to handle a wide zoo of key operations including key exchange and key generation, even if all it wants to do is signing with an external key. Essentially something like: "you either export the key to me or be ready to import and handle all operations on any asymmetric key I may come across". We can't export as the key is in a protected storage in some backend, we also do not want to do all that extra work that's not in the contract, and we are not good at it either. I have been engaging with OpenSSL developers on this and they realize this was unintended, and is a "bug/weakness" in their implementation. They are working on a patch to fix it at their end ( https://github.com/openssl/openssl/pull/16725). The eventual fix is very likely to get backported to OpenSSL 3.0, so we have to wait. I'll submit a slightly modified v2 once their fix is finalized. Thanks, Selva >
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
