Hello Erik, > On 16 Sep 2022, at 15:17, ummeegge wrote: > > Hi all, > am currently working with the current OpenVPN-2.6_dev version and have > had three questions in mind. > > 1) Is a OpenSSL update to 3.x currently in plan ? As far as i can see > all needed updates for related software are meanwhile ready. Yes. Peter is pretty much done with that, but the monitoring plugins are the only blocker that is left. > 2) The current *.p12 archiv format on IPFire´s OpenVPN uses for PKCS7 > encryption 'pbeWithSHA1And40BitRC2' which can only be used with the "- > provider legacy" option otherwise RC2-40-CBC won´t be accepted. > On my both machines --> > > No LSB modules are available. > Distributor ID: Kali > Description: Kali GNU/Linux Rolling > Release: 2022.3 > Codename: kali-rolling > OpenSSL 3.0.4 21 Jun 2022 (Library: OpenSSL 3.0.4 21 Jun 2022) > > > LSB Version: :core-4.1-amd64:core-4.1-noarch > Distributor ID: Fedora > Description: Fedora release 36 (Thirty Six) > Release: 36 > Codename: ThirtySix > OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022) > > OpenSSL-3.x is menwhile in usage and by decrypting the *.p12 files the > in here described errors --> > https://community.ipfire.org/t/ovpn-cert-creation-algo/7911 > appear. Without any further interventions, the regular authentication > (PWD) process won´t work. Meaning? Can we replace this format by anything else and keep the password protection? > 3) Before OpenSSL 3.x will be updated in IPFire, makes it sense to > bring up some warnings if BF, CAST and DES* (may also SHA1) are in > usage ? Otherwise, the OpenSSL update can also be a show stopper for > OpenVPN connections on systems which uses the above mentioned ciphers > or should the ‘-provider legacy’ flag handle this ? I suppose we will need to enable this since we have too many installations on the old settings out there. We still don’t have cipher negotiation. -Michael > > Best, > > Erik