From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: Re: Feedback on testing of openvpn connections with openssl-3.2.0 Date: Fri, 19 Jan 2024 10:54:06 +0000 Message-ID: In-Reply-To: <1B2B787D-8084-4856-B07F-AE4EA2C04723@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6214846744149785789==" List-Id: --===============6214846744149785789== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Michael & all, On 17/01/2024 11:22, Michael Tremer wrote: > Hello Adolf, >=20 > Thank you very much for testing. >=20 > I believe that I might have a small regression from OpenSSL 3.2.0 - at leas= t I think it is that: >=20 > https://bugzilla.ipfire.org/show_bug.cgi?id=3D13527 >=20 > Apache won=E2=80=99t start if a system has been upgraded for a long time an= d is using an older RSA key. >=20 > I could not find any indication in the change log of OpenSSL, but since we = did not touch Apache itself in this update, I cannot come up with any other i= dea. When I raised the patch I looked through the logs and didn't find anything th= at sprung out to me as being a problem. When Arne raised that bug I went back= and had another look at the logs and searched though them with various phras= es and couldn't find anything either related to it. When I did my unstable update Apache did not stop for me. I had another look = at it just now and my RSA cert has a 4096 bit key. I must have re4-created it= myself at some time in the past. The original version of the vm is probably = around 6 to 12 months old from when I had to re-install it due to some proble= m. My production system has a 2048 bit key. Maybe that makes the difference. I will do some clones of my vm and re-create the Apache server certs with 102= 4 and 2048 bit certs and test doing the update and see if I get the same prob= lem with either of those two sizes. >=20 > Since we are already using ECDSA keys as well as RSA keys, how about droppi= ng the RSA keys altogether to solve this problem? We could do that but I would think 4096 bit keys are still okay for RSA. Will let you know what I find with my testing. Regards, Adolf. >=20 > -Michael >=20 >> On 16 Jan 2024, at 14:18, Adolf Belka wrote: >> >> Hi All, >> >> At the last video call we agreed to test out openvpn and ipsec with the op= enssl-3.2.0 version that is in next. >> >> I cloned a vm and updated it to unstable (CU183) and ran my existing openv= pn connections on it that had been created with an older version of openssl-3= .x. Everything worked without any problems. >> >> I then created new connections with openssl-3.2.0 and tested them out. Aga= in the connection was successfully made and I could access the remote green m= achine with no problems. >> >> So for openvpn there looks to be no issues with openssl-3.2.0 from my test= ing. >> >> Regards, >> Adolf. >> >> --=20 >> Sent from my laptop >> >=20 --===============6214846744149785789==--