[Openvpn-devel,XS] Change in openvpn[master]: Extend the error message when TLS 1.0 PRF fails

Message ID 7a28bedac4ce2e50fb3c3504c97b7fd91f6cddd3-HTML@gerrit.openvpn.net
State Superseded
Headers show
Series [Openvpn-devel,XS] Change in openvpn[master]: Extend the error message when TLS 1.0 PRF fails | expand

Commit Message

its_Giaan (Code Review) Nov. 21, 2023, 6:18 p.m. UTC
Attention is currently required from: flichtenheld.

Hello flichtenheld,

I'd like you to do a code review.
Please visit

    http://gerrit.openvpn.net/c/openvpn/+/456?usp=email

to review the following change.


Change subject: Extend the error message when TLS 1.0 PRF fails
......................................................................

Extend the error message when TLS 1.0 PRF fails

This error will probably become more and more common in the future when
more and more system will drop TLS 1.0 PRF support. We are already seeing
people stumbling upon this (see GitHub issue #460)

The current error messages

  TLS Error: PRF calcuation failed
  TLS Error: generate_key_expansion failed

are not very helpful for people that do not have deep understanding of TLS or
the OpenVPN protocol. Improve a on this message to give a normal user a chance
to understand that the peer needs to be OpenVPN 2.6.x or newer.

Change-Id: Ib3b64b52beed69dc7740f191b0e9a9dc9af5b7f3
---
M src/openvpn/ssl.c
1 file changed, 6 insertions(+), 1 deletion(-)



  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/56/456/1

Patch

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 400230c..9817b2e 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1641,7 +1641,12 @@ 
     {
         if (!generate_key_expansion_openvpn_prf(session, &key2))
         {
-            msg(D_TLS_ERRORS, "TLS Error: PRF calcuation failed");
+            msg(D_TLS_ERRORS, "TLS Error: PRF calculation failed. Your system "
+                "might not support the old TLS 1.0 PRF calculation anymore or "
+                "the policy does not allow TLS1 PRF calculation anymore "
+                "(e.g. running in FIPS mode). The peer did not announce support "
+                "for the modern TLS Export feature that replaces the TLS 1.0"
+                "RPF (requires OpenVPN 2.6.x or higher)");
             goto exit;
         }
     }