On 4/14/2021 8:23 PM, Selva Nair wrote: > > You can restrict TLS version using th eoption --tls-version-min in > OpenVPN config file, but restricting to TLS 1.2 is not enough with > OpenSSL 1.1.1. It defaults to PSS for both TLS 1.2 and 1.3. > > Rather than building your own OpenSSL, a much simpler option would be > to make an openssl.cnf file and restrict signature algorithms. See my > comment on the trac > ticket link I posted in my previous reply. > Thanks, still no luck just yet getting things to work using the .cnf file. Not sure why its not picking up the pointer properly. I will keep trying.
Another thing I am not clear on, is where the cert signature type is set / required. I am guessing the entire chain needs to be at least SHA256 right ? PKI's CA CRT, CSR, signed CRT ? Also, I was playing around creating a default CA from scratch using easy-rsa. It by default generates a CA cert as so % openssl x509 -in ca.crt -text Certificate: Data: Version: 3 (0x2) Serial Number: 5c:d4:ed:f7:b7:0a:82:c7:52:dd:6b:bc:18:22:0a:53:8d:4e:2f:08 Signature Algorithm: sha256WithRSAEncryption Issuer: CN = Mike CA . . Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 45:DA:14:8D:C1:6B:C1:A2:F5:AE:61:76:89:E2:F4:46:83:90:6C:C1 X509v3 Authority Key Identifier: keyid:45:DA:14:8D:C1:6B:C1:A2:F5:AE:61:76:89:E2:F4:46:83:90:6C:C1 DirName:/CN=Mike CA serial:5C:D4:ED:F7:B7:0A:82:C7:52:DD:6B:BC:18:22:0A:53:8D:4E:2F:08 X509v3 Basic Constraints: CA:TRUE X509v3 Key Usage: Certificate Sign, CRL Sign Signature Algorithm: sha256WithRSAEncryption Should those Signature Algorithm lines show something different ? When I build a client, the same values. I dont have RSA-/PS referenced anywhere ?/ / / / ---Mike / > That said, it's my guess that the token is refusing to sign pre-padded > data. You may want to ask the token supplier (SafeNet Inc) about it. > > Selva _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users