On Wed, Mar 30, 2016 at 5:08 PM, Jan Just Keijser <janj...@nikhef.nl> wrote: > > hmmm you're using AES256 encryption in combination with MD5 signed certs? > that's strong encryption with VERY weak certificate hashing - your server is > prone to all kinds of attacks this way.
MD5 here is going to be replaced soon. > > However, if you *must* use MD5 hashed certificates then try something like > > ExecStart=/usr/sbin/md5-openvpn --daemon --writepid > > and create a script /usr/sbin/md5-openvpn like > > #!/bin/bash > export OPENSSL_ENABLE_MD5_VERIFY=1 > exec /usr/sbin/openvpn $@ How is this different to setting this variable by using below configuration file? >> ====== /etc/systemd/system/openvpn@xxx.service.d/env.conf >> [Service] >> Environment=OPENSSL_ENABLE_MD5_VERIFY=1 Please note that I inserted ExecStartPre=/usr/bin/env to /usr/lib/systemd/system/openvpn@.service template and I see OPENSSL_ENABLE_MD5_VERIFY=1 in the journal logs meaning this env variable is set when openvpn is being run. Regards, Piotr Dobrogost ------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140 _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
