Hi, On 21/07/2020 17:49, Arne Schwabe wrote: > By default OpenSSL 1.1+ only allows signatures and ecdh/ecdhx from the > default list of X25519:secp256r1:X448:secp521r1:secp384r1. In > TLS1.3 key exchange is independent from the signature/key of the > certificates, so allowing all groups per default is not a sensible > choice anymore and instead a shorter list is reasonable. > > However, when using certificates with exotic curves that are not on > the group list, the signatures of these certificates will no longer > be accepted. > > The tls-groups option allows to modify the group list to account > for these corner cases. > > Patch V2: Uses local gc_arena instead of malloc/free, reword commit > message. Fix other typos/clarify messages > > Patch V3: Style fixes, adjust code to changes from mbed tls session > fix > > Patch V5: Fix compilation with OpenSSL 1.0.2 > > Patch V6: Redo the 'while((token = strsep(&tmp_groups, ":"))' change > that accidently got lost. > > Signed-off-by: Arne Schwabe <a...@rfc2549.org>
Much better now. Acked-by: Antonio Quartulli <a...@unstable.cc> -- Antonio Quartulli _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
