>> Unless I overlooked something, I don't see any situation in which we ask >> for an unsupported signature. > > Consider this: > (i) config has --management-external-key nopadding but client announces > version > 2. We will not error out but send the signature request as > PK_SIGN <base64data> > without the ALG as client version is not 3 and fail
We can error out on version on the management line. But this is also a kind of obscure misconfiguration since why would add nopadding to the config if you cannot support it? > (ii) tls version max is set 1.2 and openssl 1.1.1 is in use both on > server and client. > PSS signing will get negotiated but we will not error out early as TLS > 1.3 is not in use. > > That's why I say that this extension of management-external-key is not worth > it. > > Am I missing something? > tls_version_max will still report TLS 1.3 as it not affected by the version set in config but really the max the library is capable of irrespectable tls min/max version. Arne
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
