Message ID | 20231213105308.121460-1-frank@lichtenheld.com |
---|---|
State | Accepted |
Headers | show |
Series | [Openvpn-devel,v8] Extend the error message when TLS 1.0 PRF fails | expand |
I have not actually tested this on a FIPS- or otherwise-impaired system, just test compiled ("no stray characters") and looked at the new error message, which is indeed more informative. Your patch has been applied to the master and release/2.6 branch (I claim it falls under "documentation improvements"). commit 6ff816142c1acdaee149c4daabb297fefc2ccde0 (master) commit cfaf82d5eb62e1ed4804afa37817105e9aa4394a (release/2.6) Author: Arne Schwabe Date: Wed Dec 13 11:53:08 2023 +0100 Extend the error message when TLS 1.0 PRF fails Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Message-Id: <20231213105308.121460-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27796.html Signed-off-by: Gert Doering <gert@greenie.muc.de> -- kind regards, Gert Doering
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 6eddb68..7597412 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1477,7 +1477,12 @@ { if (!generate_key_expansion_openvpn_prf(session, &key2)) { - msg(D_TLS_ERRORS, "TLS Error: PRF calcuation failed"); + msg(D_TLS_ERRORS, "TLS Error: PRF calculation failed. Your system " + "might not support the old TLS 1.0 PRF calculation anymore or " + "the policy does not allow it (e.g. running in FIPS mode). " + "The peer did not announce support for the modern TLS Export " + "feature that replaces the TLS 1.0 PRF (requires OpenVPN " + "2.6.x or higher)"); goto exit; } }