Git Product home page Git Product logo

Comments (3)

kevinmkane avatar kevinmkane commented on July 28, 2024

Your error messages suggest either OpenVPN isn't actually being linked at runtime with the the OQS fork of OpenSSL, but are instead linking to the system-installed version of OpenSSL; or you're generating your Picnic certs with a newer version of OQS-OpenSSL which the version we're currently dependent on doesn't support. As with all the PQ algorithms, Picnic has been updated over time. We also don't support using the 1.1 fork of OQS-OpenSSL; we only support the 1.0.2 fork. Our build scripts fetch a specific commit from OQS-OpenSSL for this reason. Make sure you're running all the openssl commands referring specifically to the openssl binary generated by the OQS-OpenSSL build.

We're currently working to make the OQS-OpenSSL 1.1 fork compatible with OpenVPN, and our next release will both update to the latest version of OpenVPN and support OQS-OpenSSL 1.1.

All that aside, we did discover after the fact that most Picnic certificates trigger a bug in OpenSSL because they end up being too large, and trip a size limitation in the TLS code. Oops! Sorry about that. So it does end up being the case that Picnic isn't currently very usable, and we're recommending the use of RSA certificates for now, and then you still get the benefit of using post-quantum key exchange. This should also be working, and with the updated version of Picnic, in our next release.

from pqcrypto-vpn.

vbog1 avatar vbog1 commented on July 28, 2024

Thanks for the explanation.

And yes, I managed to establish connection with tls-cipher OQSKEX-LWE-FRODO-RECOMMENDED-ECDHE-ECDSA-AES256-GCM-SHA384

from pqcrypto-vpn.

kevinmkane avatar kevinmkane commented on July 28, 2024

@vbog1 I've got a candidate of the 1.3 release, where Picnic certificates are now working, in the dev-1.3 branch: https://github.com/microsoft/PQCrypto-VPN/tree/dev-1.3

I've moved to using submodules for the various dependencies, so clone with: git clone --branch dev-1.3 --recurse-submodules https://github.com/microsoft/PQCrypto-VPN.git. There's also a Dockerfile under openvpn/build/docker as well. The Windows build is now done completely cross-compiled, so everything gets built in one step now.

Feedback welcome!

from pqcrypto-vpn.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.