On 4/14/2021 8:23 PM, Selva Nair wrote:
>  
> You can restrict TLS version using th eoption --tls-version-min in
> OpenVPN config file, but restricting to TLS 1.2 is not enough with
> OpenSSL 1.1.1. It defaults to PSS for both TLS 1.2 and 1.3. 
>
> Rather than building your own OpenSSL, a much simpler option would be
> to make an openssl.cnf file and restrict signature algorithms. See my
> comment on the trac 
> ticket link I posted in my previous reply. 
>
Thanks, still no luck just yet getting things to work using the .cnf
file.  Not sure why its not picking up the pointer properly.  I will
keep trying.



Another thing I am not clear on, is where the cert signature type is set
/ required.  I am guessing the entire chain needs to be at least SHA256
right ? PKI's CA CRT, CSR, signed CRT ?

Also, I was playing around creating a default CA from scratch using
easy-rsa.  It by default generates a CA cert as so


 % openssl x509 -in ca.crt -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            5c:d4:ed:f7:b7:0a:82:c7:52:dd:6b:bc:18:22:0a:53:8d:4e:2f:08
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = Mike CA
.
.
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                45:DA:14:8D:C1:6B:C1:A2:F5:AE:61:76:89:E2:F4:46:83:90:6C:C1
            X509v3 Authority Key Identifier:
               
keyid:45:DA:14:8D:C1:6B:C1:A2:F5:AE:61:76:89:E2:F4:46:83:90:6C:C1
                DirName:/CN=Mike CA
               
serial:5C:D4:ED:F7:B7:0A:82:C7:52:DD:6B:BC:18:22:0A:53:8D:4E:2F:08

            X509v3 Basic Constraints:
                CA:TRUE
            X509v3 Key Usage:
                Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption


Should those Signature Algorithm lines show something different ?

When I build a client, the same values.  I dont have RSA-/PS referenced
anywhere ?/

/
/

/    ---Mike
/


> That said, it's my guess that the token is refusing to sign pre-padded
> data. You may want to ask the token supplier (SafeNet Inc) about it.
>
> Selva

_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to