[Openvpn-devel,v8] Extend the error message when TLS 1.0 PRF fails

Message ID 20231213105308.121460-1-frank@lichtenheld.com
State Accepted
Headers show
Series [Openvpn-devel,v8] Extend the error message when TLS 1.0 PRF fails | expand

Commit Message

Frank Lichtenheld Dec. 13, 2023, 10:53 a.m. UTC
From: Arne Schwabe <arne@rfc2549.org>

This error will probably become more and more common in the future when
more and more systems will drop TLS 1.0 PRF support. We are already
seeing people stumbling upon this (see GitHub issue #460)

The current error messages

  TLS Error: PRF calcuation failed
  TLS Error: generate_key_expansion failed

are not very helpful for people that do not have deep understanding
of TLS or the OpenVPN protocol. Improve this message to give a normal
user a chance to understand that the peer needs to be OpenVPN 2.6.x or

Change-Id: Ib3b64b52beed69dc7740f191b0e9a9dc9af5b7f3
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/456
This mail reflects revision 8 of this Change.

Acked-by according to Gerrit (reflected above):
Frank Lichtenheld <frank@lichtenheld.com>


Gert Doering Dec. 26, 2023, 7:40 p.m. UTC | #1
I have not actually tested this on a FIPS- or otherwise-impaired system,
just test compiled ("no stray characters") and looked at the new error
message, which is indeed more informative.

Your patch has been applied to the master and release/2.6 branch
(I claim it falls under "documentation improvements").

commit 6ff816142c1acdaee149c4daabb297fefc2ccde0 (master)
commit cfaf82d5eb62e1ed4804afa37817105e9aa4394a (release/2.6)
Author: Arne Schwabe
Date:   Wed Dec 13 11:53:08 2023 +0100

     Extend the error message when TLS 1.0 PRF fails

     Signed-off-by: Arne Schwabe <arne@rfc2549.org>
     Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
     Message-Id: <20231213105308.121460-1-frank@lichtenheld.com>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27796.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>

kind regards,

Gert Doering


diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 6eddb68..7597412 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1477,7 +1477,12 @@ 
         if (!generate_key_expansion_openvpn_prf(session, &key2))
-            msg(D_TLS_ERRORS, "TLS Error: PRF calcuation failed");
+            msg(D_TLS_ERRORS, "TLS Error: PRF calculation failed. Your system "
+                "might not support the old TLS 1.0 PRF calculation anymore or "
+                "the policy does not allow it (e.g. running in FIPS mode). "
+                "The peer did not announce support for the modern TLS Export "
+                "feature that replaces the TLS 1.0 PRF (requires OpenVPN "
+                "2.6.x or higher)");
             goto exit;