Re: [Openvpn-devel] pkcs11 config changes from 2.5.4 to 2.6.6 ?

Thu, 28 Sep 2023 18:56:33 -0700 

Hi Mike

I misunderstood Arne's comment. We default to security level 1 but that
forbids SHA1 signatures in OpenSSL 3.0+.

Could you test with "tls-cert-profile Insecure" in the config file? It's
not recommended but useful to check.

Thanks,

Selva

On Thu, Sep 28, 2023 at 7:08 PM mike tancsa <m...@sentex.net> wrote:

> Hi Selva,
>
>     Thank you for looking!
>
> My guess is that something in the certificate or private key is not to
> OpenSSL 3.1's liking and it rejects it. Is there any way for you to check
> the
> contents of the token independently using a tool linked against OpenSSL
> 3.1 ?
>
> What am I looking for in that case ?  Taking a look at the cert just with
> openssl 3.0 on FreeBSD releng14 it seems ok with it. Same with the Windows
> version 3.1.x that comes with OpenVPN. Is it possible it doesnt like the
> sha1RSA sig ?
>
> # openssl version
> OpenSSL 3.0.10 1 Aug 2023 (Library: OpenSSL 3.0.10 1 Aug 2023)
> #
>
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number: 7109 (0x1bc5)
>         Signature Algorithm: sha1WithRSAEncryption
>         Issuer: C = CA, ST = ON, L = Cambridge, O = Sentex CA, CN = Sentex
> private1test CA CA, emailAddress = m...@sentex.ca
>         Validity
>             Not Before: Sep 27 19:43:01 2023 GMT
>             Not After : Nov 13 19:43:01 2033 GMT
>         Subject: C = CA, ST = ON, L = Cambridge, O = Sentex CA, OU =
> win10, CN = test123456mdt, emailAddress = m...@sentex.ca
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>                 Public-Key: (2048 bit)
>                 Modulus:
>                     00:f5:e0:27:b5:28:0a:f8:a9:ce:13:33:a2:ca:27:
>
> ...
>
>                     ac:a8:b6:55:bb:a3:a4:43:e5:74:05:aa:c8:69:3d:
>                     ed:ef
>                 Exponent: 65537 (0x10001)
>         X509v3 extensions:
>             X509v3 Basic Constraints:
>                 CA:FALSE
>             Netscape Comment:
>                 Easy-RSA Generated Certificate
>             X509v3 Subject Key Identifier:
>                 74:72:3A:87:0D:34:7B:1E:11:C6:18:D2:41:99:C6:5E:D1:8A:81:95
>             X509v3 Authority Key Identifier:
>
> keyid:4F:A0:B0:94:92:6F:24:A7:D4:C6:93:A6:AA:25:63:6C:ED:1E:E3:8C
>                 DirName:/C=CA/ST=ON/L=Cambridge/O=Sentex Parklands
> CA/CN=Sentex Parklands CA CA/emailAddress=ppsupp...@sentex.ca
>                 serial:F5:3E:37:76:69:AC:EF:EC
>             X509v3 Extended Key Usage:
>                 TLS Web Client Authentication
>             X509v3 Key Usage:
>                 Digital Signature
>     Signature Algorithm: sha1WithRSAEncryption
>     Signature Value:
>         10:72:36:db:5c:f3:f5:fb:52:82:c7:4c:72:8f:31:ae:
>

_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel






















					Reply via email to