Hi Michael & all, On 17/01/2024 11:22, Michael Tremer wrote: > Hello Adolf, > > Thank you very much for testing. > > I believe that I might have a small regression from OpenSSL 3.2.0 - at least I think it is that: > > https://bugzilla.ipfire.org/show_bug.cgi?id=13527 > > Apache won’t start if a system has been upgraded for a long time and is using an older RSA key. > > I could not find any indication in the change log of OpenSSL, but since we did not touch Apache itself in this update, I cannot come up with any other idea. When I raised the patch I looked through the logs and didn't find anything that sprung out to me as being a problem. When Arne raised that bug I went back and had another look at the logs and searched though them with various phrases and couldn't find anything either related to it. When I did my unstable update Apache did not stop for me. I had another look at it just now and my RSA cert has a 4096 bit key. I must have re4-created it myself at some time in the past. The original version of the vm is probably around 6 to 12 months old from when I had to re-install it due to some problem. My production system has a 2048 bit key. Maybe that makes the difference. I will do some clones of my vm and re-create the Apache server certs with 1024 and 2048 bit certs and test doing the update and see if I get the same problem with either of those two sizes. > > Since we are already using ECDSA keys as well as RSA keys, how about dropping the RSA keys altogether to solve this problem? We could do that but I would think 4096 bit keys are still okay for RSA. Will let you know what I find with my testing. Regards, Adolf. > > -Michael > >> On 16 Jan 2024, at 14:18, Adolf Belka wrote: >> >> Hi All, >> >> At the last video call we agreed to test out openvpn and ipsec with the openssl-3.2.0 version that is in next. >> >> I cloned a vm and updated it to unstable (CU183) and ran my existing openvpn connections on it that had been created with an older version of openssl-3.x. Everything worked without any problems. >> >> I then created new connections with openssl-3.2.0 and tested them out. Again the connection was successfully made and I could access the remote green machine with no problems. >> >> So for openvpn there looks to be no issues with openssl-3.2.0 from my testing. >> >> Regards, >> Adolf. >> >> -- >> Sent from my laptop >> >