Hi Michael & all,
On 17/01/2024 11:22, Michael Tremer wrote:
Hello Adolf,
Thank you very much for testing.
I believe that I might have a small regression from OpenSSL 3.2.0 - at least I think it is that:
https://bugzilla.ipfire.org/show_bug.cgi?id=13527
Apache won’t start if a system has been upgraded for a long time and is using an older RSA key.
I could not find any indication in the change log of OpenSSL, but since we did not touch Apache itself in this update, I cannot come up with any other idea.
When I raised the patch I looked through the logs and didn't find anything that sprung out to me as being a problem. When Arne raised that bug I went back and had another look at the logs and searched though them with various phrases and couldn't find anything either related to it.
When I did my unstable update Apache did not stop for me. I had another look at it just now and my RSA cert has a 4096 bit key. I must have re4-created it myself at some time in the past. The original version of the vm is probably around 6 to 12 months old from when I had to re-install it due to some problem.
My production system has a 2048 bit key. Maybe that makes the difference.
I will do some clones of my vm and re-create the Apache server certs with 1024 and 2048 bit certs and test doing the update and see if I get the same problem with either of those two sizes.
Since we are already using ECDSA keys as well as RSA keys, how about dropping the RSA keys altogether to solve this problem?
We could do that but I would think 4096 bit keys are still okay for RSA.
Will let you know what I find with my testing.
Regards,
Adolf.
-Michael
On 16 Jan 2024, at 14:18, Adolf Belka adolf.belka@ipfire.org wrote:
Hi All,
At the last video call we agreed to test out openvpn and ipsec with the openssl-3.2.0 version that is in next.
I cloned a vm and updated it to unstable (CU183) and ran my existing openvpn connections on it that had been created with an older version of openssl-3.x. Everything worked without any problems.
I then created new connections with openssl-3.2.0 and tested them out. Again the connection was successfully made and I could access the remote green machine with no problems.
So for openvpn there looks to be no issues with openssl-3.2.0 from my testing.
Regards, Adolf.
-- Sent from my laptop