From patchwork Wed Oct 25 12:19:28 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frank Lichtenheld X-Patchwork-Id: 3407 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:baa3:b0:f2:62eb:61c1 with SMTP id dt35csp2719958dyb; Wed, 25 Oct 2023 05:20:43 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEc5BgSVFCwOR9yqcdS4t5PIBVrQPrV3JNFpXRqVje5VmXPkK8LeNQnqgch7pqIQm66XAUM X-Received: by 2002:a05:6e02:214c:b0:350:f353:4017 with SMTP id d12-20020a056e02214c00b00350f3534017mr18442285ilv.0.1698236443254; Wed, 25 Oct 2023 05:20:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1698236443; cv=none; d=google.com; s=arc-20160816; b=GdfD6UbZ4TvH0+HqGiIT0cuU6PROY+pVEoQlgwC/zoTRJ0lPdukOnjdWdLMGBoWU7y kN2YlKo0mA0pInbLsi0v5E6Xvcdw4E8tDt6gHvVk38O8tdWt/4/JTBpqbiej52ZpeL1K ulI/76F5WlZ2rPl/FTNHd/h0geaAL+J45AbKhyUHCgJZxDyl5PZJQ37S7kkn6MTG6oKb p2zJbQiQciQzJPWyEnur7BX3x0BF3QjcfnmpbZWw7OQwpwOHQLfzxGyA29LPnp+HkVc9 RPiEcpjyjSz46l1sBZZfReXZfhJOl5bibbFaIJMdAtVT7rK2MBlbpwIoKiCv8lDzV5n0 9ErA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:cc:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=Q49vkBoeFGwR3uWgTSLpsG0LljlerxaXPVFDrmQ0amE=; fh=QFI66uH1wuap4SELuBp8yQisVuN/JNp2Gfq3mc9xmqM=; b=gd4oiBo81nNeeO1b20J8YxKupIGoA2WAATKPFdA3YidKebRXjBR352FEAuRuUXKhK7 WddK5Bt5Z+R1cFX1S31SbVP0PYTpGLz4g8o+tSWSKkUvmNHitgtHblkvDtRQSuKAlZTk 3VQeVkzWAHE1vQxG1NYrt88bUxv5WOOGiq3ilGD0OaLEz+qrTny3/RRMiLLZ2UUIqLho LDMe3tyU21gv+CoyOoCO6AaUD7j69xhtUORxryHfMOasoWbINf8o2s7xFGa6aUvPArxH GedzLAvc7Equ7QQjAqbTwKgsYwCIOA4zSemC23hMlsZp/b+trGl+lhe0BFirmJpKgDIf YYKg== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=k0b0NOP9; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=dkV5mzlW; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b=KWMybzJG; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id j191-20020a6380c8000000b005a1d8816535si2298418pgd.5.2023.10.25.05.20.42 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Oct 2023 05:20:43 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=k0b0NOP9; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=dkV5mzlW; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b=KWMybzJG; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1qvcrc-0005Ao-8R; Wed, 25 Oct 2023 12:19:54 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1qvcra-0005Ah-Rv for openvpn-devel@lists.sourceforge.net; Wed, 25 Oct 2023 12:19:53 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=lhQBW9ubVgHVZY2jRvhgbsc9EM+E3SK6D06Oc/SVW7E=; b=k0b0NOP9vYhru4H5vN70dNFdjo XBi2KAf6MjPTtUlin9Qis2e3QuA4ThyJyaOj1fPzmXvo3s8P3hvmQBzCaOXHHtg8QUtqzaFnuOgnZ oK/oGp2T5eqcBvRC7lTqSaLqHxmQbW3hSQoAzL+Cr6InyrOyTaN3Ixi2pg9D1uhNfNCU=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=lhQBW9ubVgHVZY2jRvhgbsc9EM+E3SK6D06Oc/SVW7E=; b=dkV5mzlW0GQbBSyn3HcE1WixA6 vwvhpr+N2t5J0draYZ9NPD3YMmKeaOmNg3mXxXxaS7gpcJrZ2KGTK9Afmef5BJ6GAAmfqhav9aLr7 JdrRUYTIM5rDmSoAnjUKinWhsZZ9+vhXHDYTv7OxcgFJ1XUNCzYsGWK6i4/3WRGRxbzk=; Received: from mout-p-101.mailbox.org ([80.241.56.151]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1qvcrL-0004gQ-RW for openvpn-devel@lists.sourceforge.net; Wed, 25 Oct 2023 12:19:53 +0000 Received: from smtp1.mailbox.org (smtp1.mailbox.org [10.196.197.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-101.mailbox.org (Postfix) with ESMTPS id 4SFnzj5By8z9stJ; Wed, 25 Oct 2023 14:19:29 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lichtenheld.com; s=MBO0001; t=1698236369; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=lhQBW9ubVgHVZY2jRvhgbsc9EM+E3SK6D06Oc/SVW7E=; b=KWMybzJG/NZiYua4NDXbGjYv4BmwhOr7aKBMP43rUhZRTaqnvs3V1Wk2oZC/YYk/pYdatV 4JvK23oFlLIfT+aSIyWanuE/GJqLIElZfhc2ciX+qcE8sku0lvN0O1N5TPb+KNdicO+LQg qtFIadRtTzta2E4surNDh1JXYoyX62YOK2en5tCE+0QzFJ4AnFI4jxfIYLfbygMtoJWVdF bnGjnjCsl4bUi93XUnJq4BzW/h0+chrCBI2DFPzgcyOietaGT2G8nRyBFz/ut1jiLPmIYR AcoZf4+juflEYyGBw4SmxzkJiGfFn7wtelvN5/l9ycMBxyxz9iV/KiMzzw8uqg== From: Frank Lichtenheld To: openvpn-devel@lists.sourceforge.net Date: Wed, 25 Oct 2023 14:19:28 +0200 Message-Id: <20231025121928.1031109-1-frank@lichtenheld.com> In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: -0.9 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Max Fillinger Change-Id: Ia61c467d85d690752011bafcf112e39d5b252aa7 Signed-off-by: Max Fillinger Acked-by: Frank Lichtenheld --- Content analysis details: (-0.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [80.241.56.151 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1qvcrL-0004gQ-RW Subject: [Openvpn-devel] [PATCH v8] Update README.mbedtls X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Max Fillinger Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1780729977063560190?= X-GMAIL-MSGID: =?utf-8?q?1780729977063560190?= From: Max Fillinger Change-Id: Ia61c467d85d690752011bafcf112e39d5b252aa7 Signed-off-by: Max Fillinger Acked-by: Frank Lichtenheld --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/372 This mail reflects revision 8 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/README.mbedtls b/README.mbedtls index d3466fa..9b75c2b 100644 --- a/README.mbedtls +++ b/README.mbedtls @@ -1,13 +1,13 @@ -This version of OpenVPN has mbed TLS support. To enable follow the following -instructions: +This version of OpenVPN has mbed TLS support. To enable, follow the +instructions below: -To Build and Install, +To build and install, ./configure --with-crypto-library=mbedtls make make install -This version depends on mbed TLS 2.0 (and requires at least 2.0.0). +This version requires mbed TLS version >= 2.0.0 or >= 3.2.1. ************************************************************************* @@ -16,7 +16,8 @@ As of mbed TLS 2.17, it can be licensed *only* under the Apache v2.0 license. That license is incompatible with OpenVPN's GPLv2. -If you wish to distribute OpenVPN linked with mbed TLS, there are two options: +We are currently in the process of resolving this problem, but for now, if you +wish to distribute OpenVPN linked with mbed TLS, there are two options: * Ensure that your case falls under the system library exception in GPLv2, or @@ -24,9 +25,6 @@ that may be licensed under GPLv2. Unfortunately, this version is unsupported and won't receive any more updates. -If nothing changes about the license situation, mbed TLS support may be -deprecated in a future release of OpenVPN. - ************************************************************************* Due to limitations in the mbed TLS library, the following features are missing @@ -42,3 +40,22 @@ * X.509 subject line has a different format than the OpenSSL subject line * X.509 certificate export does not work * X.509 certificate tracking + +************************************************************************* + +Mbed TLS 3 supports the TLS 1.3 protocol, but the implementation is not yet +complete. Therefore, using TLS 1.3 in the mbed TLS build of OpenVPN is not yet +supported. + +Nevertheless, here are some pointers to make it work with mbed TLS 3.5.0: + + * The stock configuration of mbed TLS does not support TLS 1.3. To enable it, + uncomment `#define MBEDTLS_SSL_PROTO_TLS1_3` in your mbedtls_config.h before + compiling the library. + * An OpenVPN client with mbed TLS cannot connect to a server with OpenSSL + using TLS 1.3. + * An OpenVPN client with OpenSSL *can* connect to a server using mbed TLS with + TLS 1.3, but *only* if `#define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE` has + been uncommented in mbedtls_config.h. + +Note that none of these limitations apply to TLS 1.2.