Hi,
On Wed, Apr 14, 2021 at 8:09 PM mike tancsa <m...@sentex.net> wrote: > Thank you very much for the analysis and pointer. The application is a > kiosk type environment and for a number of reasons, the windows dialog > PIN popping up is not workable. Its been a while since I built OpenVPN > from source, but I imagine I could roll a version of the OpenSSL.DLL > that would max out at TLS 1.2 or at least default to that ? > > You can restrict TLS version using th eoption --tls-version-min in OpenVPN config file, but restricting to TLS 1.2 is not enough with OpenSSL 1.1.1. It defaults to PSS for both TLS 1.2 and 1.3. Rather than building your own OpenSSL, a much simpler option would be to make an openssl.cnf file and restrict signature algorithms. See my comment on the trac ticket link I posted in my previous reply. That said, it's my guess that the token is refusing to sign pre-padded data. You may want to ask the token supplier (SafeNet Inc) about it. Selva
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users