New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support ECDSA certificates on server side and show parameters in dialog #1483
Conversation
Tested with CI artifacts. |
despite we bound to openssl-1.1.1 and higher, it might be built without ECDSA support, see openssl/openssl@3b6aa36 I suggest to add corresponding check in CMake (for example, https://github.com/SoftEtherVPN/SoftEtherVPN/blob/master/src/Mayaqua/CMakeLists.txt#L26 ) that openssl is built using ECDSA |
I am not sure if it's needed as we are not going to change the default key from RSA. The user is responsible to make sure the OpenSSL and the default cipher supports ECDSA. For example if the default cipher is AES128-SHA it won't work. |
Users sometimes pick openssl from distribution. It would be good to check during cmake that openssl supports ecdsa. However, I agree it is not critical. We'll fail during build anyway |
Another way is adding the check in the |
please ignore my suggestion. seems, "OPENSSL_NO_ECDSA" is gone from OpenSSL now. should we merge and give it a go ? |
I think it's ready to merge. Just the string process in |
Ideally the certificate type should be on a separate line. I haven't figured out how to do that. |
let us merge and see. I tried to build myself using our "build for windows" guide. it is indeed broken, pity that nobody except @domosekai complains :( |
This PR lifts restrictions on certificate bits for server-side certificates, so that administrators can freely choose the type of certificates. This enables the use of ECDSA certificates.
Since ECDSA certificates (e.g. from Let's Encrypt) are super easy to get and increasingly preferred by many, I believe the change is important.
Ideally, we should make an aligned change in certificate handling for both client and server side. But since client side (e.g. certificate-based authentication) is more involved as we need to handle sign / verify functions, I am currently not changing that. Comments are welcome.
The certificate dialog in Windows UI won't display the ECC bits for the time being. This can also be improved later.
Fix #1034