]> git.ipfire.org Git - thirdparty/openvpn.git/commit
projects / thirdparty / openvpn.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 93fadaa) | patch
Require Windows CNG keys for cryptoapicert
authorSelva Nair <selva.nair@gmail.com>
Tue, 19 Oct 2021 03:41:16 +0000 (23:41 -0400)
committerGert Doering <gert@greenie.muc.de>
Tue, 19 Oct 2021 15:14:21 +0000 (17:14 +0200)
commit60c83cce885d2f89d0cc150b730b409538a59625
treee02d693e4ed0ed6ad5f873d0c4c99e0b5c7c143atree
parent93fadaa0268dbe81a8c7ad3e73b3d54a0cca8c9ccommit | diff
Require Windows CNG keys for cryptoapicert

Some legacy tokens do not have drivers compatible with
Windows Cryptography Next generation API (CNG) and require
the old CAPI interface. These also do not support anything
but RSA_PKCS1 signatures with MD5+SHA1 digests, and can only
handle TLS 1.1 and older. Continuing to support these add
too much maintenance burden especially with newer version of
OpenSSL and has very little benefit.

- Remove support for non CNG interface which also removes
  support for such legacy tokens. Keys uploaded to Windows
  certificate stores are not affected.

- Remove support for OpenSSL versions < 1.1.1 in Windows
  builds

Note: TLS 1.0 and 1.1 is still supported. Only signing with legacy
tokens that have drivers incompatible with CNG is affected. These
can still be used with pkcs11-helper.

Tested on Windows 10 with RSA and EC keys in store

Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20211019034118.28987-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22953.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
src/openvpn/cryptoapi.c diff | blob | blame | history
Mirror of https://github.com/OpenVPN/openvpn.git