Hi, OpenSSL folks have merged their "fix" in the provider interface that I was waiting for. It will be in the 3.0.1 patch release. In the meantime, I have opened a matching version of this patch set as a PR for OpenVPN for comments/tests/bug-reports/nitpicks. I skipped v2 and this version is tagged v3.
Will post the patches to the list when OpenSSL 3.0.1 is released. On top of v1 patches this also includes handling pkcs11-id and cryptoapicert options through the provider. Requires OpenSSL from either the master branch (3.1.0-dev) or 3.0 branch (3.0.1-dev) post Oct. 27. Cheers, Selva On Tue, Oct 5, 2021 at 12:39 PM Selva Nair <selva.n...@gmail.com> wrote: > Hi > > Here is an update on this patch set to keep all in the loop. > > Arne discovered that my patch broke ECDH key exchange in some cases. This > turns out to be due to the way providers are handled in OpenSSL especially > when used in a TLS context. It leads to the requirement that an external > provider has to handle a wide zoo of key operations including key exchange > and key generation, even if all it wants to do is signing with an external > key. Essentially something like: "you either export the key to me or be > ready to import and handle all operations on any asymmetric key I may come > across". We can't export as the key is in a protected storage in some > backend, we also do not want to do all that extra work that's not in the > contract, and we are not good at it either. > > I have been engaging with OpenSSL developers on this and they realize this > was unintended, and is a "bug/weakness" in their implementation. They are > working on a patch to fix it at their end ( > https://github.com/openssl/openssl/pull/16725). The eventual fix is very > likely to get backported to OpenSSL 3.0, so we have to wait. > > I'll submit a slightly modified v2 once their fix is finalized. > > Thanks, > > Selva > >>
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
