Am 19.10.21 um 05:41 schrieb [email protected]: > From: Selva Nair <[email protected]> > > Some legacy tokens do not have drivers compatible with > Windows Cryptography Next generation API (CNG) and require > the old CAPI interface. These also do not support anything > but RSA_PKCS1 signatures with MD5+SHA1 digests, and can only > handle TLS 1.1 and older. Continuing to support these add > too much maintenance burden especially with newer version of > OpenSSL and has very little benefit. > > - Remove support for non CNG interface which also removes > support for such legacy tokens. Keys uploaded to Windows > certificate stores are not affected. > > - Remove support for OpenSSL versions < 1.1.1 in Windows > builds > > Note: TLS 1.0 and 1.1 is still supported. Only signing with legacy > tokens that have drivers incompatible with CNG is affected. These > can still be used with pkcs11-helper. > > Tested on Windows 10 with RSA and EC keys in store >
Acked-By: Arne Schwabe <[email protected]> I haven't tested it myself but the code change looks good and supporting keys that only support TLS 1.1 is indeed silly nowadays. Arne _______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
