From patchwork Tue Jul 30 17:00:21 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Toombs X-Patchwork-Id: 3780 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:bb85:b0:5a1:d4fc:4ac6 with SMTP id gl5csp347232mab; Tue, 30 Jul 2024 10:17:49 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUPZi4XQWsoGHoc0vC+yDUxavdelOureE9tJA0OqTT3/of3igUXDUwRYgcnlnd8Q+/kXC5lB6Rf5N5aTumyRs62gJU3DoQ= X-Google-Smtp-Source: AGHT+IEvyzARSjTIdkcz8aHqqS+IqtQv/bGPcmjOXY29pA2QDDMwBCTjuAiOkp22btRbRuVuvW82 X-Received: by 2002:a17:902:c402:b0:1fc:7180:f4af with SMTP id d9443c01a7336-1fed6bdd52amr119245595ad.1.1722359868829; Tue, 30 Jul 2024 10:17:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1722359868; cv=none; d=google.com; s=arc-20160816; b=Nrc6HZ7nNsQkMHIfhBjW6pJ7SKe6eaZnM7HfcwsxAGRyxUOUpGdmTM6sIvyncxUy0i IcgrrRWnS8p0KkZe3lpmyIEJ/e0/GPCOB3cUpTl4MYIwwQQlAlshnBosypnil+6SMh7y E9v3ZSFX5p+7o870Gye3U6tbqtWfNHVVYclMnaxMhX9D51UnJSDueli1MixkG+xELXZv xotNDrjaEYEyeXtinMJQa0JXJLWy+BU4seGZidEZs+364Kt+F7ipRhe8UltYxfF6Scjd M9qn3nZ8IxkTkipxT0WyhqdNRiv1Ho6C8gbpQsgAPRZxQ5PVi8csKKeBeAA7Rui3LO0E 2uDg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:reply-to:from:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:mime-version:message-id:date:to:dkim-signature :dkim-signature:dkim-signature; bh=iq/ZHbu1QMGOJ4mncdEVbzx/zdIuC7qLgBx3DzdllK4=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=MNI5rJXHBFGRXLvPLhGG0/0N3fxbOsOEAsXmbveq5cNo1A5Q4Vxk6ZYPsEBPJl/LW2 p9kaL0LcVrfIxGOdOvoSEVaUqUTliyj2j3FSaG/2waETHM3Y/GpsyJuEGwM8E3Y3a+YO uAbwD7OS0mkefrmRQPSK7nOwIuO2TQCud0qxoWYvHe0VQr4IMjdrRORhClxD7vb2tokK xhVHaJMLwHewM8rIqR+cm6QQ/A/VR9f0OrEepZPNHTgWcIIRFlgLx+dUlxLHYOn7sxLJ CURLi0s+IUj8+c+BM/80tbZj8UvCBYWzRE3VVOFSxueb+1aoBrvagKBZSx8SARmY4BDj AbEg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Y9INKICZ; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=km25fTlD; dkim=neutral (body hash did not verify) header.i=@toombs.earth header.s=default header.b=SsDA9bhu; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id d9443c01a7336-1fed7fe8d89si130476515ad.542.2024.07.30.10.17.48 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 30 Jul 2024 10:17:48 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Y9INKICZ; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=km25fTlD; dkim=neutral (body hash did not verify) header.i=@toombs.earth header.s=default header.b=SsDA9bhu; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1sYqTL-000702-VP; Tue, 30 Jul 2024 17:17:15 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1sYqTL-0006zw-2t for openvpn-devel@lists.sourceforge.net; Tue, 30 Jul 2024 17:17:14 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=qeDEuTNdOGYlDmgsvEaXfg4JYu9bEr1yPupzG7ZjrAM=; b=Y9INKICZIEKgtCSBGmobOJdhAv 8k7V4idBxTj7K14HbOQvvYrsoeLQLzFpuApVisJwJSj5aAzmsdAjzqQWWpPJpxVHDaZdxpAiMjTxw /iM+dl+Q574mUWc7783D8ZLnWda2LdDl4aCla+NPrM/cYLZasVERPG9jvbAtGMnZG2dw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-ID:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=qeDEuTNdOGYlDmgsvEaXfg4JYu9bEr1yPupzG7ZjrAM=; b=k m25fTlD/kuOjOoMx7+oFMRalmpullo4FN17PFS4+ZcfHmLYT4nlzSi74SJmhmeaharabHXrTVj+M9 92whjzUZtA6Ub89w9eh5JJPTB3BGuMxyVoydOEyjOr/E0glKDPnzQbcRKyF07NTLIo4tdKxSHnBJ2 G2PvQG6x9uaMePnM=; Received: from smtp.toombs.earth ([95.217.182.19]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1sYqTJ-0002K1-ET for openvpn-devel@lists.sourceforge.net; Tue, 30 Jul 2024 17:17:14 +0000 Received: from localhost.localdomain (host-208-96-90-136.public.eastlink.ca [208.96.90.136]) by smtp.toombs.earth (Postfix) with ESMTPSA id 294C214A044D for ; Tue, 30 Jul 2024 17:00:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=toombs.earth; s=default; t=1722358831; bh=XoPN1dsVdMbLPcPqvCezvK7JIdI6QCooMlBp9de14Qw=; h=From:To:Subject:Date; b=SsDA9bhuR6Y27YBlhPMVDAEr7zoGkydJmYyituUH1duLF4ODwl8ZBK6uIu4J72c3j cPm1kMIKmYInE1xQFIYyP0qORIx4GS7upjsv+I/RNMsTt2m+Ohe9ex7sM5s4w9PFzd X+HYhcA1IzicJCyUiNLwlkgpmH3X5+/IgnbZBZNSRU6VXajyOKiTFpsHEXFrCrQXDa KfeeEPPq6fOK1GvkHkE0qLt/doZHqcIGCn1Mv7pgPodBMahSTmkOEgaHmu3gAfyMd5 zvoyEvDu0VUOLvXsgPuueW+LU0wPBj2NsIzKuUZkhrxRqS/6Y7xNWnfFUUsuUugrH0 vZItKSGLTwqoA== To: openvpn-devel@lists.sourceforge.net Date: Tue, 30 Jul 2024 17:00:21 +0000 Message-ID: <20240730170021.1101321-1-storehouse@toombs.earth> X-Mailer: git-send-email 2.45.2 MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Eric Toombs I switched the curve to ed25519, a generally more trustworthy curve and the default in openssh. As a bonus, it *really* simplifies what is already a complicated command. The old command wouldn't even [...] Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: toombs.earth] 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [95.217.182.19 listed in sa-accredit.habeas.com] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [95.217.182.19 listed in bl.score.senderscore.com] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1sYqTJ-0002K1-ET Subject: [Openvpn-devel] [PATCH] examples: Switched to ed25519, nodes -> noenc X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Eric Toombs via Openvpn-devel From: Eric Toombs Reply-To: Eric Toombs Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1806025221796941025?= X-GMAIL-MSGID: =?utf-8?q?1806025221796941025?= From: Eric Toombs I switched the curve to ed25519, a generally more trustworthy curve and the default in openssh. As a bonus, it *really* simplifies what is already a complicated command. The old command wouldn't even run in all shells because it used process substitution. 'nodes' is deprecated in favour of 'noenc', so I switched that too. --- doc/man-sections/example-fingerprint.rst | 4 ++-- doc/man-sections/examples.rst | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/doc/man-sections/example-fingerprint.rst b/doc/man-sections/example-fingerprint.rst index 7cdda190..e2360dd0 100644 --- a/doc/man-sections/example-fingerprint.rst +++ b/doc/man-sections/example-fingerprint.rst @@ -18,7 +18,7 @@ Server setup 2. Generate a self-signed certificate for the server: :: - openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -keyout server.key -out server.crt -nodes -sha256 -days 3650 -subj '/CN=server' + openssl req -x509 -newkey ed25519 -keyout server.key -out server.crt -noenc -sha256 -days 3650 -subj '/CN=server' 3. Generate SHA256 fingerprint of the server certificate @@ -85,7 +85,7 @@ Adding a client different name for each client. :: - openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -nodes -sha256 -days 3650 -subj '/CN=alice' + openssl req -x509 -newkey ed25519 -noenc -sha256 -days 3650 -subj '/CN=alice' This generate a certificate and a key for the client. The output of the command will look something like this: diff --git a/doc/man-sections/examples.rst b/doc/man-sections/examples.rst index 94cc726a..ced81621 100644 --- a/doc/man-sections/examples.rst +++ b/doc/man-sections/examples.rst @@ -95,12 +95,12 @@ First build a self-signed certificate on bob and display its fingerprint. :: - openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -keyout bob.pem -out bob.pem -nodes -sha256 -days 3650 -subj '/CN=bob' + openssl req -x509 -newkey ed25519 -keyout bob.pem -out bob.pem -noenc -sha256 -days 3650 -subj '/CN=bob' openssl x509 -noout -sha256 -fingerprint -in bob.pem and the same on alice:: - openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -keyout alice.pem -out alice.pem -nodes -sha256 -days 3650 -subj '/CN=alice' + openssl req -x509 -newkey ed25519 -keyout alice.pem -out alice.pem -noenc -sha256 -days 3650 -subj '/CN=alice' openssl x509 -noout -sha256 -fingerprint -in alice.pem @@ -132,7 +132,7 @@ On alice:: ping 10.4.0.1 -Note: This example use a elliptic curve (`secp384`), which allows +Note: This example use a elliptic curve (`ed25519`), which allows ``--dh`` to be set to ``none``. Example 3: A tunnel with full PKI and TLS-based security