[openssl-users] openvpn 2.4.1 with gost

Dmitry Belyavsky beldmit at gmail.com
Tue Apr 18 12:22:46 UTC 2017


Hello,

As far as I know, openvpn does not work with GOST algorithms without
patches.

On Tue, Apr 18, 2017 at 12:16 PM, R.S via openssl-users <
openssl-users at openssl.org> wrote:

> Hello.
> I have just build openvpn with openvpn-build with these versions:
> OPENSSL_VERSION="${OPENSSL_VERSION:-1.0.2k}"
> PKCS11_HELPER_VERSION="${PKCS11_HELPER_VERSION:-1.11}"
> LZO_VERSION="${LZO_VERSION:-2.10}"
> TAP_WINDOWS_VERSION="${TAP_WINDOWS_VERSION:-9.21.2}"
> OPENVPN_VERSION="${OPENVPN_VERSION:-2.4.1}"
> OPENVPN_GUI_VERSION="${OPENVPN_GUI_VERSION:-11}"
>
> Compilation success, no problem.
> i modified openssl.cnf to include engine gost.
> openssl_conf = openssl_def
> [ openssl_def ]
> engines = engine_section
> [ engine_section ]
> gost = gost_section
> [gost_section]
> default_algorithms=ALL
> engine_id=gost
>
> openssl ciphers | tr ":" "\n" | grep GOST
> GOST2001-GOST89-GOST89
> GOST94-GOST89-GOST89
>
> openssl list-message-digest-algorithms | grep gost
> gost-mac
> md_gost94
> gost-mac
> md_gost94
>
> openssl shows me GOST.
>
> ------
> gost-server.ovpn
> -----
> dev tap
> engine gost
> auth gost-mac
> cipher gost89
> tls-cipher GOST2001-GOST89-GOST89
> #comp-lzo yes
> ca ca.crt
> cert server.crt
> key server.key
> dh    dhparam.pem
> server 10.0.0.0 255.255.255.0
> keepalive 10 120
> proto tcp
> socket-flags TCP_NODELAY
> persist-key
> persist-tun
>
> openvpn gost-server.ovpn says me
> -- Initializing OpenSSL support for engine 'gost'
> -- Deprecated TLS cipher name 'GOST2001-GOST89-GOST89', please use IANA
> name 'TLS_GOSTR341001_WITH_28147_CNT_IMIT'
> -- OpenSSL: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher
> match
> -- Failed to set restricted TLS cipher list: GOST2001-GOST89-GOST89
> -- Exiting due to fatal error
>
> Please help with this problem
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>


-- 
SY, Dmitry Belyavsky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170418/8f0dfeae/attachment.html>


More information about the openssl-users mailing list