Re: Feedback on testing of openvpn connections with openssl-3.2.0

[Adolf Belka <adolf.belka@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 2487 bytes --]

Hi Michael & all,

On 17/01/2024 11:22, Michael Tremer wrote:
> Hello Adolf,
> 
> Thank you very much for testing.
> 
> I believe that I might have a small regression from OpenSSL 3.2.0 - at least I think it is that:
> 
>    https://bugzilla.ipfire.org/show_bug.cgi?id=13527
> 
> Apache won’t start if a system has been upgraded for a long time and is using an older RSA key.
> 
> I could not find any indication in the change log of OpenSSL, but since we did not touch Apache itself in this update, I cannot come up with any other idea.

When I raised the patch I looked through the logs and didn't find anything that sprung out to me as being a problem. When Arne raised that bug I went back and had another look at the logs and searched though them with various phrases and couldn't find anything either related to it.

When I did my unstable update Apache did not stop for me. I had another look at it just now and my RSA cert has a 4096 bit key. I must have re4-created it myself at some time in the past. The original version of the vm is probably around 6 to 12 months old from when I had to re-install it due to some problem.

My production system has a 2048 bit key. Maybe that makes the difference.

I will do some clones of my vm and re-create the Apache server certs with 1024 and 2048 bit certs and test doing the update and see if I get the same problem with either of those two sizes.


> 
> Since we are already using ECDSA keys as well as RSA keys, how about dropping the RSA keys altogether to solve this problem?

We could do that but I would think 4096 bit keys are still okay for RSA.

Will let you know what I find with my testing.

Regards,

Adolf.

> 
> -Michael
> 
>> On 16 Jan 2024, at 14:18, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
>>
>> Hi All,
>>
>> At the last video call we agreed to test out openvpn and ipsec with the openssl-3.2.0 version that is in next.
>>
>> I cloned a vm and updated it to unstable (CU183) and ran my existing openvpn connections on it that had been created with an older version of openssl-3.x. Everything worked without any problems.
>>
>> I then created new connections with openssl-3.2.0 and tested them out. Again the connection was successfully made and I could access the remote green machine with no problems.
>>
>> So for openvpn there looks to be no issues with openssl-3.2.0 from my testing.
>>
>> Regards,
>> Adolf.
>>
>> -- 
>> Sent from my laptop
>>
>