openvpn 2.4.1 with gost

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

openvpn 2.4.1 with gost

OpenSSL - User mailing list
Hello.
I have just build openvpn with openvpn-build with these versions:
OPENSSL_VERSION="${OPENSSL_VERSION:-1.0.2k}"
PKCS11_HELPER_VERSION="${PKCS11_HELPER_VERSION:-1.11}"
LZO_VERSION="${LZO_VERSION:-2.10}"
TAP_WINDOWS_VERSION="${TAP_WINDOWS_VERSION:-9.21.2}"
OPENVPN_VERSION="${OPENVPN_VERSION:-2.4.1}"
OPENVPN_GUI_VERSION="${OPENVPN_GUI_VERSION:-11}"

Compilation success, no problem.
i modified openssl.cnf to include engine gost.
openssl_conf = openssl_def
[ openssl_def ]                
engines = engine_section
[ engine_section ]
gost = gost_section
[gost_section]
default_algorithms=ALL
engine_id=gost

openssl ciphers | tr ":" "\n" | grep GOST
GOST2001-GOST89-GOST89
GOST94-GOST89-GOST89

openssl list-message-digest-algorithms | grep gost
gost-mac
md_gost94
gost-mac
md_gost94

openssl shows me GOST.

------
gost-server.ovpn
-----
dev tap
engine gost
auth gost-mac
cipher gost89
tls-cipher GOST2001-GOST89-GOST89
#comp-lzo yes
ca ca.crt
cert server.crt
key server.key
dh    dhparam.pem
server 10.0.0.0 255.255.255.0
keepalive 10 120
proto tcp
socket-flags TCP_NODELAY
persist-key
persist-tun

openvpn gost-server.ovpn says me
-- Initializing OpenSSL support for engine 'gost'
-- Deprecated TLS cipher name 'GOST2001-GOST89-GOST89', please use IANA name 'TLS_GOSTR341001_WITH_28147_CNT_IMIT'
-- OpenSSL: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match
-- Failed to set restricted TLS cipher list: GOST2001-GOST89-GOST89
-- Exiting due to fatal error

Please help with this problem

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: openvpn 2.4.1 with gost

Dmitry Belyavsky-3
Hello,

As far as I know, openvpn does not work with GOST algorithms without patches.

On Tue, Apr 18, 2017 at 12:16 PM, R.S via openssl-users <[hidden email]> wrote:
Hello.
I have just build openvpn with openvpn-build with these versions:
OPENSSL_VERSION="${OPENSSL_VERSION:-1.0.2k}"
PKCS11_HELPER_VERSION="${PKCS11_HELPER_VERSION:-1.11}"
LZO_VERSION="${LZO_VERSION:-2.10}"
TAP_WINDOWS_VERSION="${TAP_WINDOWS_VERSION:-9.21.2}"
OPENVPN_VERSION="${OPENVPN_VERSION:-2.4.1}"
OPENVPN_GUI_VERSION="${OPENVPN_GUI_VERSION:-11}"

Compilation success, no problem.
i modified openssl.cnf to include engine gost.
openssl_conf = openssl_def
[ openssl_def ]                
engines = engine_section
[ engine_section ]
gost = gost_section
[gost_section]
default_algorithms=ALL
engine_id=gost

openssl ciphers | tr ":" "\n" | grep GOST
GOST2001-GOST89-GOST89
GOST94-GOST89-GOST89

openssl list-message-digest-algorithms | grep gost
gost-mac
md_gost94
gost-mac
md_gost94

openssl shows me GOST.

------
gost-server.ovpn
-----
dev tap
engine gost
auth gost-mac
cipher gost89
tls-cipher GOST2001-GOST89-GOST89
#comp-lzo yes
ca ca.crt
cert server.crt
key server.key
dh    dhparam.pem
server 10.0.0.0 255.255.255.0
keepalive 10 120
proto tcp
socket-flags TCP_NODELAY
persist-key
persist-tun

openvpn gost-server.ovpn says me
-- Initializing OpenSSL support for engine 'gost'
-- Deprecated TLS cipher name 'GOST2001-GOST89-GOST89', please use IANA name 'TLS_GOSTR341001_WITH_28147_CNT_IMIT'
-- OpenSSL: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match
-- Failed to set restricted TLS cipher list: GOST2001-GOST89-GOST89
-- Exiting due to fatal error

Please help with this problem

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users




--
SY, Dmitry Belyavsky

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Loading...