| Message ID | 1515378076-5774-1-git-send-email-selva.nair@gmail.com |
|---|---|
| Headers | show |
| Series | Make cryptoapicert work with TLS 1.2 | expand |
2018-01-08 7:21 GMT+05:00 <selva.nair@gmail.com>: > From: Selva Nair <selva.nair@gmail.com> > > Hi, > > I am not sure how receptive the crypto maintaineres are to the > idea of adding more code into cryptoapi.c, but here goes: > > I've been wanting to add TLS 1.2 support for certs in the > Windows cert store using management external key. But that's > a lot more work than extending cryptoapicert support. And, > rather surprsingly, it turns out that the CNG API for signing is > easy to use (well after some groping in the dark..) and doesn't > take much to implement. > > So these patches.. > > The first patch is not really related and to make the existing code > "openssl-1.1 ready" (missed by past patches as no one probably builds > Windows binary with 1.1..). > there was an agreement on one of the recent community meetings to gracefully deprecate both libressl and openssl-1.0.X in favour of openssl-1.1.X so, we should learn how to build windows binary with 1.1.X :) > > The second patch is not dependent on this, but close-by code paths > are touched by both. > > Selva > > Selva Nair (2): > Bring cryptoapi.c upto speed with openssl 1.1 > TLS v1.2 support for cryptoapicert -- RSA only > > configure.ac | 1 + > src/openvpn/Makefile.am | 2 +- > src/openvpn/cryptoapi.c | 155 ++++++++++++++++++++++++++++++ > ++++--------- > src/openvpn/openssl_compat.h | 14 ++++ > src/openvpn/options.c | 18 ----- > 5 files changed, 140 insertions(+), 50 deletions(-) > > -- > 2.1.4 > > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel > <div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">2018-01-08 7:21 GMT+05:00 <span dir="ltr"><<a href="mailto:selva.nair@gmail.com" target="_blank">selva.nair@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">From: Selva Nair <<a href="mailto:selva.nair@gmail.com">selva.nair@gmail.com</a>><br> <br> Hi,<br> <br> I am not sure how receptive the crypto maintaineres are to the<br> idea of adding more code into cryptoapi.c, but here goes:<br> <br> I've been wanting to add TLS 1.2 support for certs in the<br> Windows cert store using management external key. But that's<br> a lot more work than extending cryptoapicert support. And,<br> rather surprsingly, it turns out that the CNG API for signing is<br> easy to use (well after some groping in the dark..) and doesn't<br> take much to implement.<br> <br> So these patches..<br> <br> The first patch is not really related and to make the existing code<br> "openssl-1.1 ready" (missed by past patches as no one probably builds<br> Windows binary with 1.1..).<br></blockquote><div><br></div><div>there was an agreement on one of the recent community meetings to</div><div>gracefully deprecate both libressl and openssl-1.0.X in favour of</div><div>openssl-1.1.X</div><div><br></div><div>so, we should learn how to build windows binary with 1.1.X :)<br></div><div><br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <br> The second patch is not dependent on this, but close-by code paths<br> are touched by both.<br> <br> Selva<br> <br> Selva Nair (2):<br> Bring cryptoapi.c upto speed with openssl 1.1<br> TLS v1.2 support for cryptoapicert -- RSA only<br> <br> <a href="http://configure.ac" rel="noreferrer" target="_blank">configure.ac</a> | 1 +<br> src/openvpn/Makefile.am | 2 +-<br> src/openvpn/cryptoapi.c | 155 ++++++++++++++++++++++++++++++<wbr>++++---------<br> src/openvpn/openssl_compat.h | 14 ++++<br> src/openvpn/options.c | 18 -----<br> 5 files changed, 140 insertions(+), 50 deletions(-)<br> <span class="HOEnZb"><font color="#888888"><br> --<br> 2.1.4<br> <br> <br> ------------------------------<wbr>------------------------------<wbr>------------------<br> Check out the vibrant tech community on one of the world's most<br> engaging tech sites, Slashdot.org! <a href="http://sdm.link/slashdot" rel="noreferrer" target="_blank">http://sdm.link/slashdot</a><br> ______________________________<wbr>_________________<br> Openvpn-devel mailing list<br> <a href="mailto:Openvpn-devel@lists.sourceforge.net">Openvpn-devel@lists.<wbr>sourceforge.net</a><br> <a href="https://lists.sourceforge.net/lists/listinfo/openvpn-devel" rel="noreferrer" target="_blank">https://lists.sourceforge.net/<wbr>lists/listinfo/openvpn-devel</a><br> </font></span></blockquote></div><br></div></div> ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Hi, On 8 January 2018 at 03:21, <selva.nair@gmail.com> wrote: > I am not sure how receptive the crypto maintaineres are to the > idea of adding more code into cryptoapi.c, but here goes: > > I've been wanting to add TLS 1.2 support for certs in the > Windows cert store using management external key. But that's > a lot more work than extending cryptoapicert support. And, > rather surprsingly, it turns out that the CNG API for signing is > easy to use (well after some groping in the dark..) and doesn't > take much to implement. > > So these patches.. > > The first patch is not really related and to make the existing code > "openssl-1.1 ready" (missed by past patches as no one probably builds > Windows binary with 1.1..). > > The second patch is not dependent on this, but close-by code paths > are touched by both. This would fix a major shortcoming in our current cryptoapi code, so I'm definitely open to accepting these patches. Just need to find some time to do the review and dreaded windows testing :) I actually tried this myself a while ago, but quickly gave up after getting lost in and demotivated by the MSDN maze. So more than grateful that you wrestled your way through! -Steffan ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Hi, On Tue, Jan 9, 2018 at 1:00 AM, Илья Шипицин <chipitsine@gmail.com> wrote: > > > > 2018-01-08 7:21 GMT+05:00 <selva.nair@gmail.com>: >> >> From: Selva Nair <selva.nair@gmail.com> >> >> Hi, >> >> I am not sure how receptive the crypto maintaineres are to the >> idea of adding more code into cryptoapi.c, but here goes: >> >> I've been wanting to add TLS 1.2 support for certs in the >> Windows cert store using management external key. But that's >> a lot more work than extending cryptoapicert support. And, >> rather surprsingly, it turns out that the CNG API for signing is >> easy to use (well after some groping in the dark..) and doesn't >> take much to implement. >> >> So these patches.. >> >> The first patch is not really related and to make the existing code >> "openssl-1.1 ready" (missed by past patches as no one probably builds >> Windows binary with 1.1..). > > > there was an agreement on one of the recent community meetings to > gracefully deprecate both libressl and openssl-1.0.X in favour of > openssl-1.1.X > > so, we should learn how to build windows binary with 1.1.X :) I had tested the patch with 1.1 and needed only minor changes to build script. See https://github.com/selvanair/openvpn-build pkcs11-helper build showed some warnings but I did not check further as I usually disable it. Selva ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
From: Selva Nair <selva.nair@gmail.com> Hi, I am not sure how receptive the crypto maintaineres are to the idea of adding more code into cryptoapi.c, but here goes: I've been wanting to add TLS 1.2 support for certs in the Windows cert store using management external key. But that's a lot more work than extending cryptoapicert support. And, rather surprsingly, it turns out that the CNG API for signing is easy to use (well after some groping in the dark..) and doesn't take much to implement. So these patches.. The first patch is not really related and to make the existing code "openssl-1.1 ready" (missed by past patches as no one probably builds Windows binary with 1.1..). The second patch is not dependent on this, but close-by code paths are touched by both. Selva Selva Nair (2): Bring cryptoapi.c upto speed with openssl 1.1 TLS v1.2 support for cryptoapicert -- RSA only configure.ac | 1 + src/openvpn/Makefile.am | 2 +- src/openvpn/cryptoapi.c | 155 ++++++++++++++++++++++++++++++++++--------- src/openvpn/openssl_compat.h | 14 ++++ src/openvpn/options.c | 18 ----- 5 files changed, 140 insertions(+), 50 deletions(-)