mirror of
https://github.com/OpenVPN/openvpn.git
synced 2024-09-20 03:52:28 +02:00
efad93d049
As of version 3.5.0 the TLS-Exporter function is not yet implemented in mbed TLS, and the exporter_master_secret is not exposed to the application either. Falling back to an older PRF when claiming to use TLS1.3 seems like false advertising. Change-Id: If4e1c4af9831eb1090ccb3a3c4d3e76b413f0708 Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Message-Id: <20231115151740.23948-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27453.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
48 lines
1.6 KiB
Plaintext
48 lines
1.6 KiB
Plaintext
This version of OpenVPN has mbed TLS support. To enable, follow the
|
|
instructions below:
|
|
|
|
To build and install,
|
|
|
|
./configure --with-crypto-library=mbedtls
|
|
make
|
|
make install
|
|
|
|
This version requires mbed TLS version >= 2.0.0 or >= 3.2.1.
|
|
|
|
*************************************************************************
|
|
|
|
Warning:
|
|
|
|
As of mbed TLS 2.17, it can be licensed *only* under the Apache v2.0 license.
|
|
That license is incompatible with OpenVPN's GPLv2.
|
|
|
|
We are currently in the process of resolving this problem, but for now, if you
|
|
wish to distribute OpenVPN linked with mbed TLS, there are two options:
|
|
|
|
* Ensure that your case falls under the system library exception in GPLv2, or
|
|
|
|
* Use an earlier version of mbed TLS. Version 2.16.12 is the last release
|
|
that may be licensed under GPLv2. Unfortunately, this version is
|
|
unsupported and won't receive any more updates.
|
|
|
|
*************************************************************************
|
|
|
|
Due to limitations in the mbed TLS library, the following features are missing
|
|
in the mbed TLS version of OpenVPN:
|
|
|
|
* PKCS#12 file support
|
|
* --capath support - Loading certificate authorities from a directory
|
|
* Windows CryptoAPI support
|
|
* X.509 alternative username fields (must be "CN")
|
|
|
|
Plugin/Script features:
|
|
|
|
* X.509 subject line has a different format than the OpenSSL subject line
|
|
* X.509 certificate export does not work
|
|
* X.509 certificate tracking
|
|
|
|
*************************************************************************
|
|
|
|
Mbed TLS 3 has implemented (parts of) the TLS 1.3 protocol, but we have disabled
|
|
support in OpenVPN because the TLS-Exporter function is not yet implemented.
|