openvpn/README.mbedtls

This version of OpenVPN has mbed TLS support. To enable, follow the
instructions below:

To build and install,

	./configure --with-crypto-library=mbedtls
	make
	make install

This version requires mbed TLS version >= 2.0.0 or >= 3.2.1.

*************************************************************************

Warning:

As of mbed TLS 2.17, it can be licensed *only* under the Apache v2.0 license.
That license is incompatible with OpenVPN's GPLv2.

We are currently in the process of resolving this problem, but for now, if you
wish to distribute OpenVPN linked with mbed TLS, there are two options:

 * Ensure that your case falls under the system library exception in GPLv2, or

 * Use an earlier version of mbed TLS. Version 2.16.12 is the last release
   that may be licensed under GPLv2. Unfortunately, this version is
   unsupported and won't receive any more updates.

*************************************************************************

Due to limitations in the mbed TLS library, the following features are missing
in the mbed TLS version of OpenVPN:

 * PKCS#12 file support
 * --capath support - Loading certificate authorities from a directory
 * Windows CryptoAPI support
 * X.509 alternative username fields (must be "CN")

Plugin/Script features:

 * X.509 subject line has a different format than the OpenSSL subject line
 * X.509 certificate tracking

*************************************************************************

Mbed TLS 3 has implemented (parts of) the TLS 1.3 protocol, but we have disabled
support in OpenVPN because the TLS-Exporter function is not yet implemented.
Update README.mbedtls Change-Id: Ia61c467d85d690752011bafcf112e39d5b252aa7 Signed-off-by: Max Fillinger <max@max-fillinger.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Message-Id: <20231025121928.1031109-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27295.html Signed-off-by: Gert Doering <gert@greenie.muc.de> 2023-10-25 14:19:28 +02:00			`This version of OpenVPN has mbed TLS support. To enable, follow the`
			`instructions below:`
Added PolarSSL support: - Crypto library - SSL library - PKCS#11 support For missing features, please see README.polarssl Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: David Sommerseth <davids@redhat.com> 2011-07-01 14:15:11 +02:00
Update README.mbedtls Change-Id: Ia61c467d85d690752011bafcf112e39d5b252aa7 Signed-off-by: Max Fillinger <max@max-fillinger.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Message-Id: <20231025121928.1031109-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27295.html Signed-off-by: Gert Doering <gert@greenie.muc.de> 2023-10-25 14:19:28 +02:00			`To build and install,`
Added PolarSSL support: - Crypto library - SSL library - PKCS#11 support For missing features, please see README.polarssl Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: David Sommerseth <davids@redhat.com> 2011-07-01 14:15:11 +02:00
docs: Replace all PolarSSL references to mbed TLS There were references in our documentation to the now deprecated PolarSSL library, which have changed name upstream to mbed TLS. In addition, where appropriate, the documentation now considers only mbed TLS 2.0 and newer. This is in accordance with the requirements ./configure sets. [DS: On-the-fly change - Updated Makefile.am to use README.mbedtls instead of README.polarssl. This ensures make dist and buildbots won't explode] Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <20170822114715.14225-1-davids@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15309.html Signed-off-by: David Sommerseth <davids@openvpn.net> 2017-08-22 13:47:15 +02:00			`./configure --with-crypto-library=mbedtls`
Added PolarSSL support: - Crypto library - SSL library - PKCS#11 support For missing features, please see README.polarssl Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: David Sommerseth <davids@redhat.com> 2011-07-01 14:15:11 +02:00			`make`
			`make install`

Update README.mbedtls Change-Id: Ia61c467d85d690752011bafcf112e39d5b252aa7 Signed-off-by: Max Fillinger <max@max-fillinger.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Message-Id: <20231025121928.1031109-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27295.html Signed-off-by: Gert Doering <gert@greenie.muc.de> 2023-10-25 14:19:28 +02:00			`This version requires mbed TLS version >= 2.0.0 or >= 3.2.1.`
Disabled X.509 track and username selection for PolarSSL Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com> 2011-07-05 13:09:13 +02:00
Added PolarSSL support: - Crypto library - SSL library - PKCS#11 support For missing features, please see README.polarssl Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: David Sommerseth <davids@redhat.com> 2011-07-01 14:15:11 +02:00			`*************************************************************************`

Add warning about mbed TLS licensing problem Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20220217142756.6581-1-maximilian.fillinger@foxcrypto.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23825.html Signed-off-by: Gert Doering <gert@greenie.muc.de> 2022-02-17 15:27:56 +01:00			`Warning:`

			`As of mbed TLS 2.17, it can be licensed only under the Apache v2.0 license.`
			`That license is incompatible with OpenVPN's GPLv2.`

Update README.mbedtls Change-Id: Ia61c467d85d690752011bafcf112e39d5b252aa7 Signed-off-by: Max Fillinger <max@max-fillinger.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Message-Id: <20231025121928.1031109-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27295.html Signed-off-by: Gert Doering <gert@greenie.muc.de> 2023-10-25 14:19:28 +02:00			`We are currently in the process of resolving this problem, but for now, if you`
			`wish to distribute OpenVPN linked with mbed TLS, there are two options:`
Add warning about mbed TLS licensing problem Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20220217142756.6581-1-maximilian.fillinger@foxcrypto.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23825.html Signed-off-by: Gert Doering <gert@greenie.muc.de> 2022-02-17 15:27:56 +01:00
			`* Ensure that your case falls under the system library exception in GPLv2, or`

			`* Use an earlier version of mbed TLS. Version 2.16.12 is the last release`
			`that may be licensed under GPLv2. Unfortunately, this version is`
			`unsupported and won't receive any more updates.`

			`*************************************************************************`

docs: Replace all PolarSSL references to mbed TLS There were references in our documentation to the now deprecated PolarSSL library, which have changed name upstream to mbed TLS. In addition, where appropriate, the documentation now considers only mbed TLS 2.0 and newer. This is in accordance with the requirements ./configure sets. [DS: On-the-fly change - Updated Makefile.am to use README.mbedtls instead of README.polarssl. This ensures make dist and buildbots won't explode] Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <20170822114715.14225-1-davids@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15309.html Signed-off-by: David Sommerseth <davids@openvpn.net> 2017-08-22 13:47:15 +02:00			`Due to limitations in the mbed TLS library, the following features are missing`
			`in the mbed TLS version of OpenVPN:`
Added PolarSSL support: - Crypto library - SSL library - PKCS#11 support For missing features, please see README.polarssl Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: David Sommerseth <davids@redhat.com> 2011-07-01 14:15:11 +02:00
			`* PKCS#12 file support`
Disabled X.509 track and username selection for PolarSSL Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com> 2011-07-05 13:09:13 +02:00			`* --capath support - Loading certificate authorities from a directory`
Added PolarSSL support: - Crypto library - SSL library - PKCS#11 support For missing features, please see README.polarssl Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: David Sommerseth <davids@redhat.com> 2011-07-01 14:15:11 +02:00			`* Windows CryptoAPI support`
Disabled X.509 track and username selection for PolarSSL Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com> 2011-07-05 13:09:13 +02:00			`* X.509 alternative username fields (must be "CN")`

			`Plugin/Script features:`
Added PolarSSL support: - Crypto library - SSL library - PKCS#11 support For missing features, please see README.polarssl Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: David Sommerseth <davids@redhat.com> 2011-07-01 14:15:11 +02:00
Disabled X.509 track and username selection for PolarSSL Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com> 2011-07-05 13:09:13 +02:00			`* X.509 subject line has a different format than the OpenSSL subject line`
			`* X.509 certificate tracking`
Update README.mbedtls Change-Id: Ia61c467d85d690752011bafcf112e39d5b252aa7 Signed-off-by: Max Fillinger <max@max-fillinger.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Message-Id: <20231025121928.1031109-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27295.html Signed-off-by: Gert Doering <gert@greenie.muc.de> 2023-10-25 14:19:28 +02:00
			`*************************************************************************`

Disable TLS 1.3 support with mbed TLS As of version 3.5.0 the TLS-Exporter function is not yet implemented in mbed TLS, and the exporter_master_secret is not exposed to the application either. Falling back to an older PRF when claiming to use TLS1.3 seems like false advertising. Change-Id: If4e1c4af9831eb1090ccb3a3c4d3e76b413f0708 Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Message-Id: <20231115151740.23948-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27453.html Signed-off-by: Gert Doering <gert@greenie.muc.de> 2023-11-15 16:17:40 +01:00			`Mbed TLS 3 has implemented (parts of) the TLS 1.3 protocol, but we have disabled`
			`support in OpenVPN because the TLS-Exporter function is not yet implemented.`