Am 07.10.14 16:32, schrieb Sio Poh Tan: > Hi Samuli, > > Thanks for your reply. I've checked on the link that you provided. However, it does not mention whether the Windows Crypto API integration supports TLS 1.2 implementation. I understand that it does support TLS 1.0 implementation, similar to the OpenVPN community version. If the OpenVPN Connect client is based on the community version, then I doubt it supports TLS 1.2 using cryptoapicert as I've tested with the community version. Please correct me if I'm wrong. > > I hope someone will be interested to work on this implementation as my team is having a tight schedule implementing this for a project.
Probably it uses the management-api and the external-key-management API of the management interface. My Android client (OpenVPN for Android) uses that API to work with the Android keystore and does TLS 1.2 just fine. That OpenVPN Connect can use the MAC Crypto store which OpenVPN does not support kind of confirms that theory. For anyone who wants to pick up this work. This probably only replacing the api calls which do RSA signing of the SHA1 checksum with an API call that can do signing of SHA1 + SHA* variants (basicialy signing longer bitstrings). Arne
