Am 28.03.22 um 13:52 schrieb Arne Schwabe:
Am 27.03.22 um 17:52 schrieb Michael Baentsch:
Thanks again for your explanations: I finally figured out to correct
my git send-email configuration `smtpencryption` to be set to "ssl"
(instead of "tls": The latter caused a hang that I debugged for way
too long :-(. Maybe worth while adding to some FAQ for newbies? The
guidance at
https://github.com/git/git/blob/master/Documentation/git-send-email.txt
was clearly wrong.
Please let me know if that submission now arrived and meets your
requirements.
The commit message is still not great. Something I would have used
instead:
Well....
Allow non-standard EC groups with OpenSSL3
This statement just is not correct: This has not a lot to do with EC.
What about "Enable setting any TLS1.3 group [provided by the underlying
crypto libraries]. "?
OpenSSL3 no longer uses the NID to identify TLS groups, instead it uses
names. This allows also to use groups from external provider. It also
recognises secp256r1 as the same group as prime256v1.
This statement also is not quite right: OpenSSL3 still uses NIDs to
identify some groups, notably those not implemented by a provider, i.e.,
legacy/"classic" crypto. I would agree with the statement that "OpenSSL3
prefers the use of names over NIDs for the identification of TLS1.3
groups, including EC groups." Lastly, the "it" in your statement above
is unclear (at least to me as a non-native speaker): What about
explicitly stating "OpenSSL3 also recognises secp256r1 as the same group
as prime256v1"? This fact of course has nothing to do with this patch.
One further question: Is there interest on your side to add
more/better support for quantum-safe crypto to OpenVPN?
Depends on what changes you are proposing. There is certainly some
interest but depends on what exactly we are talking about.
I'll flesh that out. It mostly has to do with modifications to "easyrsa"
- see below.
easyrsa isn't geared for that right now (let alone suitably named
:-), but openssl3 (with our oqsprovider) can generate quantum-safe
PKI (CA and client certs) without problems.
Easyrsa has become also separate project. Development and maintainance
of easyrsa have become quite slow in the last years.
That statement is very helpful, thanks. It might then be sensible (for
me) to start a script from scratch that does not have such strong
dependency on legacy crypto. Will report back when I have something of
interest.
Quantum-safe key exchange works in OpenVPN just fine when the PR lands.
Thanks in advance for any guidance how to proceed with the PR now.
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
