Acked-by: Gert Doering <g...@greenie.muc.de>
Stared at code, and tested with a 2.5+ossl3.0.x build - without the
patch, it would fail before even trying to connect to the server
(unless --providers legacy default is set):
2022-06-09 12:00:50 library versions: OpenSSL 3.0.3 3 May 2022, LZO 2.10
2022-06-09 12:00:50 Cipher BF-CBC not supported
2022-06-09 12:00:50 Exiting due to fatal error
With the patch, it connects fine, negotiates AES-256-GCM, and passes
all t_client tests (to "master" servers") without having to resort to
"--providers legacy".
Connecting to a legacy server (2.3 or 2.4/2.5 with --disable-ncp, or
restricting ciphers to BF-CBC for whatever other reasons) will try to
fallback to BF-CBC, and fail - unsurprisingly, but fixable with
--providers legacy.
NOTE: uncrustify complained to me that "options.c" got modified and
was not uncrustify clean before -> so I included these whitespace
changes (not many, and only trivial stuff) in this commit.
Your patch has been applied to the release/2.5 branch.
commit 15bf49797130917d85837abd3e8c1fb0e9b528b7
Author: Arne Schwabe
Date: Fri Jun 3 11:52:19 2022 +0200
Allow running a default configuration with TLS libraries without BF-CBC
Signed-off-by: Arne Schwabe <a...@rfc2549.org>
Acked-by: Gert Doering <g...@greenie.muc.de>
Message-Id: <20220603095219.637361-1-a...@rfc2549.org>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24456.html
Signed-off-by: Gert Doering <g...@greenie.muc.de>
--
kind regards,
Gert Doering
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
