Page MenuHomeVyOS Platform

openvpn: allow "dh-file none" to disable DH for ECDH keys
In progress, LowPublic


When using EC TLS keys, dh-file is not needed, it can be be set to "none":


Difficulty level
Unknown (require assessment)
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Config syntax change (migratable)
Issue type
Internal change (not visible to end users)

Event Timeline

jjakob changed the task status from Open to In progress.Mar 19 2020, 5:13 PM
jjakob triaged this task as Low priority.
jjakob created this task.
jjakob created this object in space S1 VyOS Public.

The implementation mostly works, but still behaves unexpectedly when keys don't have a BEGIN EC PRIVATE KEY or BEGIN RSA PRIVATE KEY, but have just a plain BEGIN PRIVATE KEY, which is valid for both EC and RSA (and is the default output format for openssl ec -out, for example when removing a passphrase from the key). We need to switch to checking the key type by actually trying to read it with openssl and checking its error status.

erkin set Issue type to Internal change (not visible to end users).Aug 31 2021, 5:16 PM