From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Feedback on testing of openvpn connections with openssl-3.2.0 Date: Wed, 17 Jan 2024 10:22:43 +0000 Message-ID: <1B2B787D-8084-4856-B07F-AE4EA2C04723@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7335025480207221597==" List-Id: --===============7335025480207221597== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Adolf, Thank you very much for testing. I believe that I might have a small regression from OpenSSL 3.2.0 - at least = I think it is that: https://bugzilla.ipfire.org/show_bug.cgi?id=3D13527 Apache won=E2=80=99t start if a system has been upgraded for a long time and = is using an older RSA key. I could not find any indication in the change log of OpenSSL, but since we di= d not touch Apache itself in this update, I cannot come up with any other ide= a. Since we are already using ECDSA keys as well as RSA keys, how about dropping= the RSA keys altogether to solve this problem? -Michael > On 16 Jan 2024, at 14:18, Adolf Belka wrote: >=20 > Hi All, >=20 > At the last video call we agreed to test out openvpn and ipsec with the ope= nssl-3.2.0 version that is in next. >=20 > I cloned a vm and updated it to unstable (CU183) and ran my existing openvp= n connections on it that had been created with an older version of openssl-3.= x. Everything worked without any problems. >=20 > I then created new connections with openssl-3.2.0 and tested them out. Agai= n the connection was successfully made and I could access the remote green ma= chine with no problems. >=20 > So for openvpn there looks to be no issues with openssl-3.2.0 from my testi= ng. >=20 > Regards, > Adolf. >=20 > --=20 > Sent from my laptop >=20 --===============7335025480207221597==--