mbedTLS 2 has a new feature that allows rejection of certificates if the key size is too small or the signing hash is weak.
The feature is controlled via struct mbedtls_x509_crt_profile. For example, you could specify that certificates must be at least 2048 bits and use a SHA-2 signing alg. Wondering if we should enable this via an option, or tie it into the existing tls-version-min. The granular approach would be to have specific options for each limit, such as ssl-min-key-size, ssl-require-sha2 The bundled approach would be to take an existing option such as tls-version-min and add additional constraints onto it. For example, if tls-version-min is 1.2 or higher, then also require minimum key size to be 2048 and certificate signing hash to be SHA-2. James ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
