On 26/06/17 13:13, Arne Schwabe wrote: > OpenSSL 1.1 does not allow MD5 signed certificates by default anymore. This > can be enabled again by settings tls-cipher "DEFAULT:@SECLEVEL=0" but only if > the cipher list is set before loading the certificates. This patch changes > the order of loading.
I'm not fully convinced of the argumentation for this feature - unless something have changed in OpenSSL 1.1. I believe the same can be achieved by setting an environment variable before starting OpenVPN. $ OPENSSL_ENABLE_MD5_VERIFY=1 /usr/sbin/openvpn .... I know several Fedora users have deployed this, even when systemd is involved. This is needed on systems with OpenSSL 1.0 as well when they connect to a server having an MD5 based certificate or signed by a CA with an MD5 based certificate. So unless OpenSSL 1.1 have changed this behaviour from OpenSSL 1.0, I'm not really convinced we need this. -- kind regards, David Sommerseth OpenVPN Technologies, Inc
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
