OpenSSL ciphers

[miac60]

Hi.
OPNsense with OpenSSL have preinstalled GOST engine.
It can be enabled in openssl.cnf.
My question: how to extend list of "Encryption algorithms" in Web UI when configuring OpenVPN server?

[miac60]

Also information about using GOST engine in OpenSSL
http://www.cryptocom.ru/products/openssl-1-config-en.html

[franco]

As far as I can see the options ZLIB and RFC3779 are not installed, but the SHARED library libgost.so is.

You'll probably have to edit /usr/local/etc/ssl/openssl.cnf according to the document. This file will not be overridden on firmware upgrades (openssl "owns" this file, but uses a sample file mechanism for safety).

If it works without ZLIB and RFC3779, that's good. If you're using custom builds and need the options you'll need to add the options to the build file:

https://github.com/opnsense/tools/blob/master/config/16.1/make.conf#L14

I am unsure about flipping these options on by default, I don't know what they do yet. This will require some research and discussion here. :)

[miac60]

We make some kind of custom build, just replace openssl lib with another one.
And now "openssl ciphers" show GOST. And we want add this ciphers in WebUI.
Unfortunately GOST ciphers does not work without RFC3779 and Zlib.