Hi, On Wed, Nov 22, 2017 at 09:49:47AM -0500, Jim Carroll wrote: > I'm not sure how to resolve this issue. tls1_PRF() is building data channel > keys exchanged between the client and server. It would appear to me that MD5 > is "baked into" the OpenVPN key negotiation in away that cannot be simply > omitted/skip/replaced, without a coordinated code change to all downstream > client code as well (including IOS). Is that correct?
This is correct. MD5 for the PRF is essential for the wire protocol, and changing this will be incompatible with all unchanged clients. OTOH, MD5 is perfectly fine in FIPS code *iff* it's not used as a hash but for other purposes. I seem to remember that there is a magic call you need to do to tell the FIPS side of things "hey, this invocation of MD5 is good". We had the discussion on the openvpn-devel list some time ago (two years maybe?) so google might find something more authoritative here. gert -- now what should I write here... Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
