Hi all, am currently working with the current OpenVPN-2.6_dev version and have had three questions in mind.
1) Is a OpenSSL update to 3.x currently in plan ? As far as i can see all needed updates for related software are meanwhile ready.
2) The current *.p12 archiv format on IPFire´s OpenVPN uses for PKCS7 encryption 'pbeWithSHA1And40BitRC2' which can only be used with the "- provider legacy" option otherwise RC2-40-CBC won´t be accepted. On my both machines -->
No LSB modules are available. Distributor ID: Kali Description: Kali GNU/Linux Rolling Release: 2022.3 Codename: kali-rolling OpenSSL 3.0.4 21 Jun 2022 (Library: OpenSSL 3.0.4 21 Jun 2022)
LSB Version: :core-4.1-amd64:core-4.1-noarch Distributor ID: Fedora Description: Fedora release 36 (Thirty Six) Release: 36 Codename: ThirtySix OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022)
OpenSSL-3.x is menwhile in usage and by decrypting the *.p12 files the in here described errors --> https://community.ipfire.org/t/ovpn-cert-creation-algo/7911 appear. Without any further interventions, the regular authentication (PWD) process won´t work.
3) Before OpenSSL 3.x will be updated in IPFire, makes it sense to bring up some warnings if BF, CAST and DES* (may also SHA1) are in usage ? Otherwise, the OpenSSL update can also be a show stopper for OpenVPN connections on systems which uses the above mentioned ciphers or should the ‘-provider legacy’ flag handle this ?
Best,
Erik