Menu
▾
▴
Re: [Openvpn-users] Compatibility from openvpn 2.4 to 2.7
|
From: David S. <daz...@eu...> - 2025-10-20 12:11:11
|
On 20/10/2025 14:03, David Sommerseth via Openvpn-users wrote: > On 17/10/2025 11:26, Gert Doering wrote: >> Hi, >> >> On Fri, Oct 17, 2025 at 11:19:48AM +0200, Simon Matter wrote: >>> Looks like "update-crypto-policies --set LEGACY" did the trick to make it >>> work. Ar least this makes the errors go away in a test setup. I'll soon do >>> it on a production system. >> >> Ah, Redhat... "why should we leave decisions to software when we can >> annoy everbody with a global setting". >> >> (I'm not exactly sure how these crypto policies work, but they seem to >> override the application's request to get "--tls-cert-profile insecure") >> >> thanks for reporting back the solution ;-) > > For the RPM packaging in Fedora, EPEL and Copr repos, we apply a patch > which is required [2]. > > [1] > <https://src.fedoraproject.org/rpms/openvpn/blob/rawhide/f/fedora-crypto-policy-compliance.patch> > [2] > <https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/> > > The goal here is to have a system-wide setting for enforcing a stricter > crypto settings. This has ties to requirements from enterprise > customers of RHEL, where there has been request to centrally manage > this. And that's happening by pushing out settings to files in > /etc/crypto-policies/, via whatever tools the enterprise prefer > (ansible, puppet, chef, etc). Since Fedora is the "development branch" > of RHEL, that's how those are related. > > These crypto policies covers everything across multiple SSL/TLS > libraries (openssl, nss, gnutls) as well as many security relevant > services and software stacks (krb5, java, libreswan, openssh, libssh). > > The OpenSSL settings for the DEFAULT profile is: > > # cat /usr/share/crypto-policies/DEFAULT/openssl.txt > @SECLEVEL=2:kEECDH:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-kRSA \ > :-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL \ > :!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 JFTR, the LEGACY profile for OpenSSL is: # cat /usr/share/crypto-policies/LEGACY/openssl.txt @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK \ :-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL \ :!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 The difference is the addition of `kRSA` in the LEGACY profile. -- kind regards, David Sommerseth OpenVPN Inc |
