From mboxrd@z Thu Jan 1 00:00:00 1970 From: ummeegge To: development@lists.ipfire.org Subject: OpenSSL update to 3.x related to some OpenVPN questions Date: Fri, 16 Sep 2022 15:17:07 +0200 Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1511926964937269958==" List-Id: --===============1511926964937269958== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Hi all, am currently working with the current OpenVPN-2.6_dev version and have had three questions in mind. 1) Is a OpenSSL update to 3.x currently in plan ? As far as i can see all needed updates for related software are meanwhile ready. 2) The current *.p12 archiv format on IPFire´s OpenVPN uses for PKCS7 encryption 'pbeWithSHA1And40BitRC2' which can only be used with the "- provider legacy" option otherwise RC2-40-CBC won´t be accepted. On my both machines --> No LSB modules are available. Distributor ID: Kali Description: Kali GNU/Linux Rolling Release: 2022.3 Codename: kali-rolling OpenSSL 3.0.4 21 Jun 2022 (Library: OpenSSL 3.0.4 21 Jun 2022) LSB Version: :core-4.1-amd64:core-4.1-noarch Distributor ID: Fedora Description: Fedora release 36 (Thirty Six) Release: 36 Codename: ThirtySix OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022) OpenSSL-3.x is menwhile in usage and by decrypting the *.p12 files the in here described errors --> https://community.ipfire.org/t/ovpn-cert-creation-algo/7911 appear. Without any further interventions, the regular authentication (PWD) process won´t work. 3) Before OpenSSL 3.x will be updated in IPFire, makes it sense to bring up some warnings if BF, CAST and DES* (may also SHA1) are in usage ? Otherwise, the OpenSSL update can also be a show stopper for OpenVPN connections on systems which uses the above mentioned ciphers or should the ‘-provider legacy’ flag handle this ? Best, Erik --===============1511926964937269958==--