Am 20.09.19 um 22:55 schrieb Selva Nair: > Hi, > > Reviving this thread/patch as now users are running into this padding > issue (trac 1216 <https://community.openvpn.net/openvpn/ticket/1216>). > > IIRC, we more-or-less agreed upon adding an argument (nopadding, pss etc..) > to >PK_SIGN for new clients and erroring out with old clients that > cannot sign with PSS padding. > > Selva > Yeah.
We did not really to a conclusion if we wanted backwards compatibility or not. Since it seems that OpenSSL 1.1.1 requires the management-client to understand the new way of signatures anyway, I would say we require the management client to be able to understand the signature in any case. I think the missing bit of piece for the patch is if we want to error out early if we detect a config that *might* not work (the nopadding argument or any other argument to the management-external-key) or if we do not error at this point and fail then when we actually require PSS signature. I am more for the first version because otherwise you end up with configurations that work fine until the server is upgraded to OpenSSL 1.1.1 and then the client stops working without anything being change (yes I realise that is already the case at the moment) Arne _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
