From patchwork Tue Oct 17 17:06:01 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "its_Giaan (Code Review)" X-Patchwork-Id: 3394 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7301:ea3:b0:f2:62eb:61c1 with SMTP id mk35csp4551748dyb; Tue, 17 Oct 2023 10:06:50 -0700 (PDT) X-Google-Smtp-Source: AGHT+IELu94YacH2OGBYK5iqjp80GVAZYjJxfee+8kFX6T3FLb8+O7JXBY8/lGrBul2b9z/WHgkF X-Received: by 2002:a05:6359:6699:b0:166:e1a1:9ecb with SMTP id so25-20020a056359669900b00166e1a19ecbmr1317623rwb.0.1697562409656; Tue, 17 Oct 2023 10:06:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697562409; cv=none; d=google.com; s=arc-20160816; b=ro5GIbDiv1ZGkZoS156uLPO10IvEvys1hdEO94H7YCIhS2y+EkOzSXEKBsuVxRKDEn CT4TpaCnhXgAFmCPgCwxho/Ona09IO8ubH+m96Fehc+tpTf8DrLnnALwrZssAdpnHEqG MG5+cjoHDPCTCZtoX8l1uD/7pluyqr4GmpQ7HrzOfrqiKxKZ6A+BO55MSwz8DOz6zeJl wl8lGt61Q6NUk+TSypvOHpLR0UDfH7S8/HJcA1E3DuHfyBsQF4twXYoSIxUMvWCY2q8b DLgBDm3zYRZPg5aDNhLr8Hem3KnpZr3edy2VoWCWJo3hJAYtVtI8At+KNVL8SR0JQ/yj l5Lw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=H/s0//vwJwll7FialKuo5zDwQq9vEAH4rE71bzkYQZ4=; fh=U7wEyxtwz2o5+UdevFSA47vNeG9knhWH0KV//QhD5a0=; b=Ih73qasAxg3/srjpd1lCDFftLSgIbEO/gxzEAMbdfImKr3vHcS0aK/LQldP5GhSrg9 dayWtFl7XNf0UCWcV6sISpdwGUnytPUiMa7QEmMSnzwWLG297QyGqFMnyD2xO+4xHuF9 B+6Mr/HzE6YBdftXnkowsdeIBSQYFmEbpHfAwBwMJ+rBFKCMiHTlCZQUDLlEztIuwTBv dsy4rcU07p8TX7fdHU2fX8XvkM/Cv5WogEbLBSwx8WBiaql+9g2w9/1lk1KtyCQmOKN9 iVnbX1RrZ1ScZIOaCv611jbBqhTpi06y3Ib6aARDhtbrNe0+rccYGsN/fR7IJTGKfcHq ZzrA== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="g/TrRQ5/"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=KhVdkiJK; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=JOToy2aZ; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id x29-20020aa79add000000b006b87eb11b94si1947315pfp.108.2023.10.17.10.06.49 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 17 Oct 2023 10:06:49 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="g/TrRQ5/"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=KhVdkiJK; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=JOToy2aZ; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1qsnWG-0000lv-Ly; Tue, 17 Oct 2023 17:06:12 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1qsnWF-0000lm-Ap for openvpn-devel@lists.sourceforge.net; Tue, 17 Oct 2023 17:06:11 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=HO/d36yFE24y4ijoGM7HwlKprWtGlkWLYlnYwzbalB4=; b=g/TrRQ5/Fu3NIJPY/2OGlRCl8T YZgxN9gl9HvgUWQFvKrY09Lh6hoUEjkKLEiDcKFm8Z4f9MzpzxxBbGTU/CZfykfpsqnDzAcOBiR9z Z7/RIGgs3Q2IVI5M1ZI4S1peHElAk6JlPjdqVLQf8bnBRH8FIZY6jHIAuw1IX56Qqe8A=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=HO/d36yFE24y4ijoGM7HwlKprWtGlkWLYlnYwzbalB4=; b=K hVdkiJKT8+HezbzjLNDp7imqpXBE/46zTooMVOH/kR+tDF0f4NHQ/b3UALvJ1oGi4t6QdKpk/enrM 7xdWW/uh2DJ3onOuT+l/J2KGOvr5225dMBHcszFoCPA9fna4SyjDJDOoRCXnPSGj3GviOdZd8nVer 29kmvLpUZAT6L36Y=; Received: from mail-lf1-f53.google.com ([209.85.167.53]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1qsnWC-0000ER-VB for openvpn-devel@lists.sourceforge.net; Tue, 17 Oct 2023 17:06:11 +0000 Received: by mail-lf1-f53.google.com with SMTP id 2adb3069b0e04-507ad511315so3446720e87.0 for ; Tue, 17 Oct 2023 10:06:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1697562362; x=1698167162; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=HO/d36yFE24y4ijoGM7HwlKprWtGlkWLYlnYwzbalB4=; b=JOToy2aZ6SrbEqJ5/b9hoZafUYeJTYe1GFN0G2R1SOoV39c9O512KDeCivRKs2KK8r 0s6IyXuqRkkM743759F+y/7tMn1TqtRkTk0l4n13GTPvlWcYB8+sTFmYbW2nWAidxfOG f8/umZo8GWPiJC64KNTznCMQsVz8MyR27hCtgrVbTVmCJXOqV2DHF+PwvpX2U/qFyqed x8I2jvo1hB8vM31N597lL80bzLAg9TediLntgYD+5Hkz5dNGkaTHMcaIe9IUPvIZn4rx ITQCjKC+9iJ0TQnX+Pgg9ATaCrl/cRe/99LzP2839kAR/4xh0cVdPIs2N2OoLztTkWWp YY7w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697562362; x=1698167162; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=HO/d36yFE24y4ijoGM7HwlKprWtGlkWLYlnYwzbalB4=; b=uQI0xhd0jiz9iD8feqOvnrZQV4N+L8kTHkTU6a6muw30ncBTG/7PHDXD2Y3fzZh6Zc Zy5DSaOxEzamW42KlFXdqsTDS7eiXdbRbwxtPpvGOMJGJyO8I1K8tr5PM+lorAuMHGYp jJUFQKh2npUvEzgLyxrK97RUwl0BGNagSl+86lMy8GAnw5H6kQRthPT00gJe2QmM7mC0 +gXPIwzFtIN4i18qXwcwekd6kLwuJQ7oy2aEiNFTXJ2jga0dydvOf9CUt95VQAgci7LS NlCvkLycNEEkoI1yJkvjen3YA/oeb/9k7UW/Erz6fCmiubnJ6zWYOnlllmlI8qGfkW3o oZtw== X-Gm-Message-State: AOJu0YxysrUWRpeOqIWCcfVib0igEFf+gA5z9c+WEbObZoo6Ll/45kPT oelUDK6ywit9b/OglkXitrX+tA== X-Received: by 2002:a05:6512:471:b0:507:9d5d:5901 with SMTP id x17-20020a056512047100b005079d5d5901mr2163787lfd.7.1697562362129; Tue, 17 Oct 2023 10:06:02 -0700 (PDT) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id t3-20020a05600c450300b004060f0a0fdbsm10543046wmo.41.2023.10.17.10.06.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Oct 2023 10:06:01 -0700 (PDT) From: "MaxF (Code Review)" X-Google-Original-From: "MaxF (Code Review)" X-Gerrit-PatchSet: 1 Date: Tue, 17 Oct 2023 17:06:01 +0000 To: plaisthos , flichtenheld Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: Ia61c467d85d690752011bafcf112e39d5b252aa7 X-Gerrit-Change-Number: 372 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: 10096577d6748651d2138d19751a43d7cc2855f9 References: Message-ID: <25fd60a859c3ead3d8e71b6658f6eeae145a40be-HTML@gerrit.openvpn.net> MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.167.53 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.167.53 listed in list.dnswl.org] 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML X-Headers-End: 1qsnWC-0000ER-VB Subject: [Openvpn-devel] [S] Change in openvpn[master]: Update README.mbedtls X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: max@max-fillinger.net, arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net, frank@lichtenheld.com Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1780023201228382857?= X-GMAIL-MSGID: =?utf-8?q?1780023201228382857?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/372?usp=email to review the following change. Change subject: Update README.mbedtls ...................................................................... Update README.mbedtls Change-Id: Ia61c467d85d690752011bafcf112e39d5b252aa7 Signed-off-by: Max Fillinger --- M README.mbedtls 1 file changed, 27 insertions(+), 8 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/72/372/1 diff --git a/README.mbedtls b/README.mbedtls index d3466fa..f6ebafa 100644 --- a/README.mbedtls +++ b/README.mbedtls @@ -1,13 +1,13 @@ -This version of OpenVPN has mbed TLS support. To enable follow the following -instructions: +This version of OpenVPN has mbed TLS support. To enable, follow the +instructions below: -To Build and Install, +To build and install, ./configure --with-crypto-library=mbedtls make make install -This version depends on mbed TLS 2.0 (and requires at least 2.0.0). +This version requires mbed TLS version >= 2.16.12 or >= 3.2.1. ************************************************************************* @@ -16,7 +16,8 @@ As of mbed TLS 2.17, it can be licensed *only* under the Apache v2.0 license. That license is incompatible with OpenVPN's GPLv2. -If you wish to distribute OpenVPN linked with mbed TLS, there are two options: +We are currently in the process of resolving this problem, but for now, if you +wish to distribute OpenVPN linked with mbed TLS, there are two options: * Ensure that your case falls under the system library exception in GPLv2, or @@ -24,9 +25,6 @@ that may be licensed under GPLv2. Unfortunately, this version is unsupported and won't receive any more updates. -If nothing changes about the license situation, mbed TLS support may be -deprecated in a future release of OpenVPN. - ************************************************************************* Due to limitations in the mbed TLS library, the following features are missing @@ -42,3 +40,24 @@ * X.509 subject line has a different format than the OpenSSL subject line * X.509 certificate export does not work * X.509 certificate tracking + +************************************************************************* + +Mbed TLS 3 supports the TLS 1.3 protocol, but the implementation is not yet +complete. Therefore, using TLS 1.3 in the mbed TLS build of OpenVPN is not yet +supported. + +Nevertheless, here are some pointers to make it work with mbed TLS 3.4.1: + + * The stock configuration of mbed TLS does not support TLS 1.3. To enable it, + uncomment `MBEDTLS_SSL_PROTO_TLS1_3` in your mbedtls_config.h before + compiling the library. + * The server cannot speak both TLS 1.2 and TLS 1.3. Run the server with the + option `--tls-version-min 1.3` to ensure that it speaks only TLS 1.3. + * An OpenVPN client with mbed TLS cannot connect to a server with OpenSSL + using TLS 1.3. + * An OpenVPN client with OpenSSL *can* connect to a server using mbed TLS with + TLS 1.3, but *only* if `MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE` has been + uncommented in mbedtls_config.h. + +Note that none of these limitations apply to TLS 1.2.