Hello Erik,
On 16 Sep 2022, at 15:17, ummeegge ummeegge@ipfire.org wrote:
Hi all, am currently working with the current OpenVPN-2.6_dev version and have had three questions in mind.
- Is a OpenSSL update to 3.x currently in plan ? As far as i can see
all needed updates for related software are meanwhile ready.
Yes. Peter is pretty much done with that, but the monitoring plugins are the only blocker that is left.
- The current *.p12 archiv format on IPFire´s OpenVPN uses for PKCS7
encryption 'pbeWithSHA1And40BitRC2' which can only be used with the "- provider legacy" option otherwise RC2-40-CBC won´t be accepted. On my both machines -->
No LSB modules are available. Distributor ID: Kali Description: Kali GNU/Linux Rolling Release: 2022.3 Codename: kali-rolling OpenSSL 3.0.4 21 Jun 2022 (Library: OpenSSL 3.0.4 21 Jun 2022)
LSB Version: :core-4.1-amd64:core-4.1-noarch Distributor ID: Fedora Description: Fedora release 36 (Thirty Six) Release: 36 Codename: ThirtySix OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022)
OpenSSL-3.x is menwhile in usage and by decrypting the *.p12 files the in here described errors --> https://community.ipfire.org/t/ovpn-cert-creation-algo/7911 appear. Without any further interventions, the regular authentication (PWD) process won´t work.
Meaning? Can we replace this format by anything else and keep the password protection?
- Before OpenSSL 3.x will be updated in IPFire, makes it sense to
bring up some warnings if BF, CAST and DES* (may also SHA1) are in usage ? Otherwise, the OpenSSL update can also be a show stopper for OpenVPN connections on systems which uses the above mentioned ciphers or should the ‘-provider legacy’ flag handle this ?
I suppose we will need to enable this since we have too many installations on the old settings out there.
We still don’t have cipher negotiation.
-Michael
Best,
Erik