-
Notifications
You must be signed in to change notification settings - Fork 239
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Configure OpenSSL while Building #257
Comments
Hi,
On Wed, Jun 08, 2022 at 04:26:07AM -0700, Emrehan ??LHAN wrote:
Is it possible to add config file to OpenSSL that is used by OpenVPN? I want to change supported ciphers and remove weak ones. I know I can use parameters like --cipher but I want to change "Client Hello" message in Wireshark capture.
To influence TLS ciphers, do not use --cipher but --tls-cipher and
tls-groups (TLS 1.0-1.2) and --tls-ciphersuites (TLS 1.3).
Alternatively, "--tls-cert-profile preferred" or "suiteb".
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany ***@***.***
|
Hi, Thanks for your answer. It solved most of my problems. I can change ciphers with --tls-cipher and --tls-ciphersuites and I can change cipher & signature algorithms with --tls-cert-profile. --tls-cert-profile suiteb remove more than I want Is there any way to remove signature algorithm (digest)? |
You could put your OpenSSL config file to C:\Program Files\OpenVPN\ssl\openssl.cnf - this will be used by OpenVPN at OpenSSL initialization. |
I do not install OpenVPN actually. I use exe file that is located in my project file. Is it still work if I put a config file to same directory? |
It should work with latest releases. |
I'm using version 2.4.11, how can I check if it is support or not? |
Hi,
On Fri, Jun 10, 2022 at 01:45:20AM -0700, Emrehan ??LHAN wrote:
I'm using version 2.4.11, how can I check if it is support or not?
Please upgrade to 2.5.7 - the 2.4 code base is old, and out of support.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany ***@***.***
|
same require here. @Emrehan how do you solve this? |
Hey If you use newer version of OpenVPN, you can just add openssl.conf file. There are lots of example of it in the internet. If not, --tls-ciphersuites Options should fix most of the cases. Howver, if you want more control over it, I rebuild OpenVPN by changing source code. I added some lines to use openssl library in openvpn source code. You can follow this option to get how it works ( --tls-cert-profile) Hope it helps |
Hi,
Is it possible to add config file to OpenSSL that is used by OpenVPN? I want to change supported ciphers and remove weak ones. I know I can use parameters like --cipher but I want to change "Client Hello" message in Wireshark capture.
The text was updated successfully, but these errors were encountered: