From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: OpenSSL update to 3.x related to some OpenVPN questions
Date: Fri, 16 Sep 2022 15:19:22 +0200 [thread overview]
Message-ID: <70B0C6EE-D41F-4B3D-A394-6E58EA79A3F7@ipfire.org> (raw)
In-Reply-To: <e218567575c5aa231a008e5205494f1bddcdf35f.camel@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 2047 bytes --]
Hello Erik,
> On 16 Sep 2022, at 15:17, ummeegge <ummeegge(a)ipfire.org> wrote:
>
> Hi all,
> am currently working with the current OpenVPN-2.6_dev version and have
> had three questions in mind.
>
> 1) Is a OpenSSL update to 3.x currently in plan ? As far as i can see
> all needed updates for related software are meanwhile ready.
Yes. Peter is pretty much done with that, but the monitoring plugins are the only blocker that is left.
> 2) The current *.p12 archiv format on IPFire´s OpenVPN uses for PKCS7
> encryption 'pbeWithSHA1And40BitRC2' which can only be used with the "-
> provider legacy" option otherwise RC2-40-CBC won´t be accepted.
> On my both machines -->
>
> No LSB modules are available.
> Distributor ID: Kali
> Description: Kali GNU/Linux Rolling
> Release: 2022.3
> Codename: kali-rolling
> OpenSSL 3.0.4 21 Jun 2022 (Library: OpenSSL 3.0.4 21 Jun 2022)
>
>
> LSB Version: :core-4.1-amd64:core-4.1-noarch
> Distributor ID: Fedora
> Description: Fedora release 36 (Thirty Six)
> Release: 36
> Codename: ThirtySix
> OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022)
>
> OpenSSL-3.x is menwhile in usage and by decrypting the *.p12 files the
> in here described errors -->
> https://community.ipfire.org/t/ovpn-cert-creation-algo/7911
> appear. Without any further interventions, the regular authentication
> (PWD) process won´t work.
Meaning? Can we replace this format by anything else and keep the password protection?
> 3) Before OpenSSL 3.x will be updated in IPFire, makes it sense to
> bring up some warnings if BF, CAST and DES* (may also SHA1) are in
> usage ? Otherwise, the OpenSSL update can also be a show stopper for
> OpenVPN connections on systems which uses the above mentioned ciphers
> or should the ‘-provider legacy’ flag handle this ?
I suppose we will need to enable this since we have too many installations on the old settings out there.
We still don’t have cipher negotiation.
-Michael
>
> Best,
>
> Erik
next prev parent reply other threads:[~2022-09-16 13:19 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-16 13:17 ummeegge
2022-09-16 13:19 ` Michael Tremer [this message]
2022-09-16 14:12 ` ummeegge
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=70B0C6EE-D41F-4B3D-A394-6E58EA79A3F7@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox