On 19/10/2021 20:31, Arne Schwabe wrote:
The recent deprecation of SHA1 certificates in OpenSSL 3.0 makes it necessary
to reallow them in certain deployments. Currently this works by using the
hack of using tls-cipher "DEFAULT:@SECLEVEL=0". Add insecure as option to
tls-cert-profile to allow setting a seclevel of 0.
Signed-off-by: Arne Schwabe <a...@rfc2549.org>
This makes insecure the default mode:
+ if (!profile || 0 == strcmp(profile, "insecure"))
+ {
+ SSL_CTX_set_security_level(ctx->ctx, 0);
+ }
+ else if (!profile || 0 == strcmp(profile, "legacy"))
{
SSL_CTX_set_security_level(ctx->ctx, 1);
}
When we don't pass a tls-cert-profile option, profile is NULL here, so
it takes the first branch.
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
