Re: [Openvpn-devel] [PATCH v5 2/2] Add support for OpenSSL TLS 1.3 when using management-external-key

Forgot copy this to the list -- sending again On Mon, Sep 23, 2019 at 6:19 AM Arne Schwabe wrote: > > Am 20.09.19 um 22:55 schrieb Selva Nair: > > Hi, > > > > Reviving this thread/patch as now users are running into this padding > > issue (trac 1216

Re: [Openvpn-devel] [PATCH v5 2/2] Add support for OpenSSL TLS 1.3 when using management-external-key

Am 20.09.19 um 22:55 schrieb Selva Nair: > Hi, > > Reviving this thread/patch as now users are running into this padding > issue (trac 1216 ). > > IIRC, we more-or-less agreed upon adding an argument (nopadding, pss etc..) > to >PK_SIGN for new

Re: [Openvpn-devel] [PATCH v5 2/2] Add support for OpenSSL TLS 1.3 when using management-external-key

Hi, Reviving this thread/patch as now users are running into this padding issue (trac 1216 ). IIRC, we more-or-less agreed upon adding an argument (nopadding, pss etc..) to >PK_SIGN for new clients and erroring out with old clients that cannot

Re: [Openvpn-devel] [PATCH v5 2/2] Add support for OpenSSL TLS 1.3 when using management-external-key

>   > > > (ii) tls version max is set 1.2 and openssl 1.1.1 is in use both on > > server and client. > > PSS signing will get negotiated but we will not error out early as TLS > > 1.3 is not in  use. > > > > That's why I say that this extension of management-external-key

Re: [Openvpn-devel] [PATCH v5 2/2] Add support for OpenSSL TLS 1.3 when using management-external-key

On Thu, Nov 15, 2018 at 2:22 AM Arne Schwabe wrote: > > >> Unless I overlooked something, I don't see any situation in which we ask > >> for an unsupported signature. > > > > Consider this: > > (i) config has --management-external-key nopadding but client announces > version > > 2. We will not

Re: [Openvpn-devel] [PATCH v5 2/2] Add support for OpenSSL TLS 1.3 when using management-external-key

>> Unless I overlooked something, I don't see any situation in which we ask >> for an unsupported signature. > > Consider this: > (i) config has --management-external-key nopadding but client announces > version > 2. We will not error out but send the signature request as > PK_SIGN > without

Re: [Openvpn-devel] [PATCH v5 2/2] Add support for OpenSSL TLS 1.3 when using management-external-key

>> For TLS 1.0 to 1.2 and OpenSSL 1.1.0 calls us and requires a PKCS1 >> padded response. As TLS 1.3 mandates RSA-PSS padding support and also >> requires an TLS 1.3 implementation to support RSA-PSS for older TLS >> version, OpenSSL will query us to sign an already RSA-PSS padded >> string. >> >>

Re: [Openvpn-devel] [PATCH v5 2/2] Add support for OpenSSL TLS 1.3 when using management-external-key

Hi, My comments below has grown too long so first a summary for those who TLDR; My suggestion: - Leave management-external-key as is (there is not much gained by adding a parameter to it) - Append a fairly flexible signature algorithm specifier to PK_SIGN request to management (nopadding or

[Openvpn-devel] [PATCH v5 2/2] Add support for OpenSSL TLS 1.3 when using management-external-key

For TLS 1.0 to 1.2 and OpenSSL 1.1.0 calls us and requires a PKCS1 padded response. As TLS 1.3 mandates RSA-PSS padding support and also requires an TLS 1.3 implementation to support RSA-PSS for older TLS version, OpenSSL will query us to sign an already RSA-PSS padded string. This patch adds an