Page MenuHomeVyOS Platform

openvpn: allow "dh-file none" to disable DH for ECDH keys
In progress, LowPublic

Description

When using EC TLS keys, dh-file is not needed, it can be be set to "none": https://github.com/OpenVPN/openvpn/commit/bd9aa06

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Config syntax change (migratable)

Event Timeline

jjakob changed the task status from Open to In progress.Thu, Mar 19, 5:13 PM
jjakob triaged this task as Low priority.
jjakob created this task.
jjakob created this object in space S1 VyOS Public.

The implementation mostly works, but still behaves unexpectedly when keys don't have a BEGIN EC PRIVATE KEY or BEGIN RSA PRIVATE KEY, but have just a plain BEGIN PRIVATE KEY, which is valid for both EC and RSA (and is the default output format for openssl ec -out, for example when removing a passphrase from the key). We need to switch to checking the key type by actually trying to read it with openssl and checking its error status.

pasik added a subscriber: pasik.Wed, Mar 25, 7:10 PM