@@ -1,13 +1,13 @@
-This version of OpenVPN has mbed TLS support. To enable follow the following
-instructions:
+This version of OpenVPN has mbed TLS support. To enable, follow the
+instructions below:
-To Build and Install,
+To build and install,
./configure --with-crypto-library=mbedtls
make
make install
-This version depends on mbed TLS 2.0 (and requires at least 2.0.0).
+This version requires mbed TLS version >= 2.16.12 or >= 3.2.1.
*************************************************************************
@@ -16,7 +16,8 @@
As of mbed TLS 2.17, it can be licensed *only* under the Apache v2.0 license.
That license is incompatible with OpenVPN's GPLv2.
-If you wish to distribute OpenVPN linked with mbed TLS, there are two options:
+We are currently in the process of resolving this problem, but for now, if you
+wish to distribute OpenVPN linked with mbed TLS, there are two options:
* Ensure that your case falls under the system library exception in GPLv2, or
@@ -24,9 +25,6 @@
that may be licensed under GPLv2. Unfortunately, this version is
unsupported and won't receive any more updates.
-If nothing changes about the license situation, mbed TLS support may be
-deprecated in a future release of OpenVPN.
-
*************************************************************************
Due to limitations in the mbed TLS library, the following features are missing
@@ -42,3 +40,24 @@
* X.509 subject line has a different format than the OpenSSL subject line
* X.509 certificate export does not work
* X.509 certificate tracking
+
+*************************************************************************
+
+Mbed TLS 3 supports the TLS 1.3 protocol, but the implementation is not yet
+complete. Therefore, using TLS 1.3 in the mbed TLS build of OpenVPN is not yet
+supported.
+
+Nevertheless, here are some pointers to make it work with mbed TLS 3.4.1:
+
+ * The stock configuration of mbed TLS does not support TLS 1.3. To enable it,
+ uncomment `MBEDTLS_SSL_PROTO_TLS1_3` in your mbedtls_config.h before
+ compiling the library.
+ * The server cannot speak both TLS 1.2 and TLS 1.3. Run the server with the
+ option `--tls-version-min 1.3` to ensure that it speaks only TLS 1.3.
+ * An OpenVPN client with mbed TLS cannot connect to a server with OpenSSL
+ using TLS 1.3.
+ * An OpenVPN client with OpenSSL *can* connect to a server using mbed TLS with
+ TLS 1.3, but *only* if `MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE` has been
+ uncommented in mbedtls_config.h.
+
+Note that none of these limitations apply to TLS 1.2.
Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/372?usp=email to review the following change. Change subject: Update README.mbedtls ...................................................................... Update README.mbedtls Change-Id: Ia61c467d85d690752011bafcf112e39d5b252aa7 Signed-off-by: Max Fillinger <max@max-fillinger.net> --- M README.mbedtls 1 file changed, 27 insertions(+), 8 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/72/372/1