Re: [Openvpn-devel] [PATCH 0/9] A built-in OpenSSL3.0 provider for external-keys

Hi, OpenSSL folks have merged their "fix" in the provider interface that I was waiting for. It will be in the 3.0.1 patch release. In the meantime, I have opened a matching version of this patch set as a PR for OpenVPN for comments/tests/bug-reports/nitpicks. I skipped v2 and this version is tagge

[Openvpn-devel] [PATCH] Fix tls-version-min default once again

From: Selva Nair commit 51be733ba236610dff6a1c361cf59172db97473a claimed to correct this but did not do it properly. (my fault). The check whether tls-version-min is set by the user or not was still wrong. Hope this fixes it for good. Signed-off-by: Selva Nair --- src/openvpn/options.c | 4 ++

Re: [Openvpn-devel] [PATCH v3 10/21] [OSSL 3.0] Replace EVP_get_cipherbyname with EVP_CIPHER_fetch

>> >> One option is to continue using get_cipherbyname() but add a helper call >> for OpenSSL 3.0 to check algorithm availability. Say, >> EVP_CIPHER_available() that fetches, checks the result and frees ---  >> to be used on top of the existing code. > > That is an option but will break as soon

[Openvpn-devel] [PATCH applied] Re: Remove dependency on BF-CBC existance from test_ncp

I can confirm that this fixes ncp_testdriver for 3.0.0 builds, which is what it says :-) (and 1.1.1 builds still succeed). Took me a bit to understand the new if/else clauses, but after a while it started making sense :-) Your patch has been applied to the master branch. commit c07f95f3cacdf7c87

[Openvpn-devel] [PATCH applied] Re: Use EVP_MD_get0_name instead EV_MD_name

Some context massaging required (ssl_compat context, 08, v3->v4, ...) 1.1.1 builds & passes "make check" just fine. 3.0.0 shows the same failures as before (ncp_testdriver, t_lpback.sh), which means "nothing new broke", so this change seems to be good enough. Your patch has been applied to the m

[Openvpn-devel] [PATCH applied] Re: Require EC key support in Windows builds

Acked-by: Gert Doering No idea what took me so long - the patch file was saved to the right place for "next: ack, merge, push" but then something got in the way. But now :-) - thanks. Your patch has been applied to the release/2.5 branch. commit 6bb4edf4f778128672f405c0e33c3c785afcc479 Author:

[Openvpn-devel] [PATCH applied] Re: Replace EVP_get_cipherbyname with EVP_CIPHER_fetch

This patch took at bit of massaging to get in, due to the context having SSL_CTX_new_ex() which disappeared during 08 v3->v4 -> replaced by proper context (adding #if OPENSSL_VERSION_NUMBER < 0x3000L). I have read Selva's comment about mem leaking, and decided to still merge it - this OSS 3

[Openvpn-devel] [PATCH applied] Re: Use EVP_PKEY_get_group_name to query group name

Stared a bit at the code (verified that "curve" is never used out of scope, since it's now a local array), die minimum test run vs. 1.1.1 and 3.0.0 - no surprises (t_lpback.sh still fails due to the FETCH parts missing, but they can now go in). Your patch has been applied to the master branch. co