diff mbox series

[Openvpn-devel,v3] mbedtls: Allow TLS 1.3 if available

Message ID 20250603140631.11696-1-gert@greenie.muc.de
State New
Headers show
Series [Openvpn-devel,v3] mbedtls: Allow TLS 1.3 if available | expand

Commit Message

Gert Doering June 3, 2025, 2:06 p.m. UTC 
From: Max Fillinger <maximilian.fillinger@foxcrypto.com>

We need mbedtls_ssl_export_keying_material() to support TLS 1.3. The
workaround we use for TLS 1.2 does not work for TLS 1.3.

Change-Id: If5e832866b312a2f8a1ce6b4e00d40e3dcf63681
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1042
This mail reflects revision 3 of this Change.

Acked-by according to Gerrit (reflected above):
Gert Doering <gert@greenie.muc.de>
Frank Lichtenheld <frank@lichtenheld.com>

Comments

Gert Doering June 3, 2025, 2:18 p.m. UTC | #1 
A twisty nightmare of passages, all alike...  (but ignoring the eye sore,
these particular #ifdef are not actually that complex, well described,
and well contained).

I have removed my Acked-By: from the commit - this was more a gerrit
artefact due to -1'ing and then +2'ing the patch again.  Frank and the BBs
tested it ;-)

Your patch has been applied to the master branch.

commit abed088c9bf3d6ab479dbe815d4d307b21b816b6
Author: Max Fillinger
Date:   Tue Jun 3 16:06:24 2025 +0200

     mbedtls: Allow TLS 1.3 if available

     Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
     Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
     Message-Id: <20250603140631.11696-1-gert@greenie.muc.de>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31858.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering
diff mbox series

Patch

diff --git a/README.mbedtls b/README.mbedtls
index c4f3924..a1012e9 100644
--- a/README.mbedtls
+++ b/README.mbedtls
@@ -26,5 +26,9 @@ 
 
 *************************************************************************
 
-Mbed TLS 3 has implemented (parts of) the TLS 1.3 protocol, but we have disabled
-support in OpenVPN because the TLS-Exporter function is not yet implemented.
+Mbed TLS 3 has implemented TLS 1.3, but support in OpenVPN requires the
+function mbedtls_ssl_export_keying_material() which is currently not in
+any released version. It is available when building mbed TLS from source
+(mbedtls-3.6 or development branch).
+
+Without this function, only TLS 1.2 is available.
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index 0159166..b78439c 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -1048,11 +1048,14 @@ 
 int
 tls_version_max(void)
 {
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    /* We need mbedtls_ssl_export_keying_material() to support TLS 1.3. */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
+    return TLS_VER_1_3;
+#elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
     return TLS_VER_1_2;
-#else /* defined(MBEDTLS_SSL_PROTO_TLS1_2) */
-    #error "mbedtls is compiled without support for TLS 1.2."
-#endif /* defined(MBEDTLS_SSL_PROTO_TLS1_2) */
+#else
+    #error mbedtls is compiled without support for TLS 1.2 or 1.3
+#endif
 }
 
 /**