Am 26.06.17 um 13:51 schrieb David Sommerseth: > On 26/06/17 13:13, Arne Schwabe wrote: >> OpenSSL 1.1 does not allow MD5 signed certificates by default anymore. This >> can be enabled again by settings tls-cipher "DEFAULT:@SECLEVEL=0" but only >> if the cipher list is set before loading the certificates. This patch >> changes the order of loading. > > I'm not fully convinced of the argumentation for this feature - unless > something have changed in OpenSSL 1.1. I believe the same can be > achieved by setting an environment variable before starting OpenVPN. > > $ OPENSSL_ENABLE_MD5_VERIFY=1 /usr/sbin/openvpn .... > > I know several Fedora users have deployed this, even when systemd is > involved. This is needed on systems with OpenSSL 1.0 as well when they > connect to a server having an MD5 based certificate or signed by a CA > with an MD5 based certificate. > > So unless OpenSSL 1.1 have changed this behaviour from OpenSSL 1.0, I'm > not really convinced we need this. > >
See this also a bugfix. Since tls-cipher options affect certificate loading, it is good to set it before certificate loading. E.g. you might want to use @SECLEVEL=5 to only allow loading of SHA256 based certificates. Also I think your option is Fedora specific as I could not find anything in the source code in my OSSL copy and the message also mentions it being Fedora specific: ** WARNING ** [Fedora modification] MD5 certificate hash re-enabled via OPENSSL_ENABLE_MD5_VERIFY environment variable. Arne ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
