From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: OpenSSL update to 3.x related to some OpenVPN questions
Date: Fri, 16 Sep 2022 15:19:22 +0200
Message-ID: <70B0C6EE-D41F-4B3D-A394-6E58EA79A3F7@ipfire.org>
In-Reply-To: <e218567575c5aa231a008e5205494f1bddcdf35f.camel@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7970395966547825023=="
List-Id: <development.lists.ipfire.org>

--===============7970395966547825023==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello Erik,

> On 16 Sep 2022, at 15:17, ummeegge <ummeegge(a)ipfire.org> wrote:
>=20
> Hi all,
> am currently working with the current OpenVPN-2.6_dev version and have
> had three questions in mind.
>=20
> 1) Is a OpenSSL update to 3.x currently in plan ? As far as i can see
> all needed updates for related software are meanwhile ready.

Yes. Peter is pretty much done with that, but the monitoring plugins are the =
only blocker that is left.

> 2) The current *.p12 archiv format on IPFire=C2=B4s OpenVPN uses for PKCS7
> encryption 'pbeWithSHA1And40BitRC2' which can only be used with the "-
> provider legacy" option otherwise RC2-40-CBC won=C2=B4t be accepted.
> On my both machines -->
>=20
> No LSB modules are available.
> Distributor ID:	Kali
> Description:	Kali GNU/Linux Rolling
> Release:	2022.3
> Codename:	kali-rolling
> OpenSSL 3.0.4 21 Jun 2022 (Library: OpenSSL 3.0.4 21 Jun 2022)
>=20
>=20
> LSB Version:	:core-4.1-amd64:core-4.1-noarch
> Distributor ID:	Fedora
> Description:	Fedora release 36 (Thirty Six)
> Release:	36
> Codename:	ThirtySix
> OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022)
>=20
> OpenSSL-3.x is menwhile in usage and by decrypting the *.p12 files the
> in here described errors -->
> https://community.ipfire.org/t/ovpn-cert-creation-algo/7911
> appear. Without any further interventions, the regular authentication
> (PWD) process won=C2=B4t work.

Meaning? Can we replace this format by anything else and keep the password pr=
otection?

> 3) Before OpenSSL 3.x will be updated in IPFire, makes it sense to
> bring up some warnings if BF, CAST and DES* (may also SHA1) are in
> usage ? Otherwise, the OpenSSL update can also be a show stopper for
> OpenVPN connections on systems which uses the above mentioned ciphers
> or should the =E2=80=98-provider legacy=E2=80=99 flag handle this ?

I suppose we will need to enable this since we have too many installations on=
 the old settings out there.

We still don=E2=80=99t have cipher negotiation.

-Michael

>=20
> Best,
>=20
> Erik


--===============7970395966547825023==--