OpenSSL update to 3.x related to some OpenVPN questions

[ummeegge <ummeegge@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 1470 bytes --]

Hi all,
am currently working with the current OpenVPN-2.6_dev version and have
had three questions in mind.

1) Is a OpenSSL update to 3.x currently in plan ? As far as i can see
all needed updates for related software are meanwhile ready.

2) The current *.p12 archiv format on IPFire´s OpenVPN uses for PKCS7
encryption 'pbeWithSHA1And40BitRC2' which can only be used with the "-
provider legacy" option otherwise RC2-40-CBC won´t be accepted.
On my both machines -->

No LSB modules are available.
Distributor ID:	Kali
Description:	Kali GNU/Linux Rolling
Release:	2022.3
Codename:	kali-rolling
OpenSSL 3.0.4 21 Jun 2022 (Library: OpenSSL 3.0.4 21 Jun 2022)


LSB Version:	:core-4.1-amd64:core-4.1-noarch
Distributor ID:	Fedora
Description:	Fedora release 36 (Thirty Six)
Release:	36
Codename:	ThirtySix
OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022)

OpenSSL-3.x is menwhile in usage and by decrypting the *.p12 files the
in here described errors -->
https://community.ipfire.org/t/ovpn-cert-creation-algo/7911
appear. Without any further interventions, the regular authentication
(PWD) process won´t work.

3) Before OpenSSL 3.x will be updated in IPFire, makes it sense to
bring up some warnings if BF, CAST and DES* (may also SHA1) are in
usage ? Otherwise, the OpenSSL update can also be a show stopper for
OpenVPN connections on systems which uses the above mentioned ciphers
or should the ‘-provider legacy’ flag handle this ?

Best,

Erik