From patchwork Wed Nov 15 15:17:40 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 3448 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:3c06:b0:f2:62eb:61c1 with SMTP id e6csp2993337dys; Wed, 15 Nov 2023 07:18:38 -0800 (PST) X-Google-Smtp-Source: AGHT+IFyzIPshrXnkYfRxmZaGKgnCKcVxWa4dMy3P7M2MbuG0nZX79G3BjtSDgSyxjs2Cq6p9UKa X-Received: by 2002:a17:902:cec3:b0:1c6:9312:187 with SMTP id d3-20020a170902cec300b001c693120187mr3490244plg.3.1700061518499; Wed, 15 Nov 2023 07:18:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1700061518; cv=none; d=google.com; s=arc-20160816; b=FBw2nHGgndVJiKvymG7vwxtOlVCLCZIFqrKOp+JLdhkv7Iidzib+EGGQpjjwY+XIEr BpH4VPwwVqAnJ7rMv8HWtetFrzyHpwtYCIgg1ZvYARE5gnI9/QmjdniKAs0bkPXPQpne gCSm2V4Ik20aRh6W4HoICBEFU/HRsLEc8gNWqXzw0Ggv2niqFNo+Pa6OoNJR+AnIewRh QrIx/9kQtXAHNyFP2wJhajNFrzAgffSg0ezlYk/N08W7qzj3YAUSkEvKXnQ5UXFkQJ3S VoZhaWsELIC4gJyR8K37m8lmGBHpntppxj0yhhL/9o2hOaWxxYknEhPIr+ltikC80ovT Dy/w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=drrN+KILNC525RGLKwrG8wEJ4L83aKfrQ5DCqSe2hzY=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=TkbsJU53EHNk/InfFkzB8o410MxdTltNo2aXgIWSbzDS/GWRkIZ+6+b8y17vRihFYK P+1GWVldqIbe0/CdCC9dxPOeKyOpovL5UXR60yuXX3KI0c93B545PzwQyoEiIy0XNJhs 4fNY2VlppF+nPSWVQAaxIos80oAVLnbg0DoPqoU44XFS+i9zqtCY1qAxjrQ3ZKceyuG+ oNtQsC9/k8KuY9kKYkvGYpBFnpRIK0CI9rgj+8NvJ0GdYZbuLOxF41LEu6QZz267Nzo2 GtkuenSW0HyBVEOq1LQUohdXVn4dQAODBe/9JSjUwgX5ZOcLQ/LrOoqiUlnhGcpsSfcN Lf5w== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=LHw8lx2L; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=Ao8ov7sX; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id b5-20020a170902b60500b001bbcddc33dasi9901585pls.180.2023.11.15.07.18.38 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 15 Nov 2023 07:18:38 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=LHw8lx2L; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=Ao8ov7sX; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1r3HeK-00035k-AY; Wed, 15 Nov 2023 15:17:51 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1r3HeI-00035Z-Nl for openvpn-devel@lists.sourceforge.net; Wed, 15 Nov 2023 15:17:49 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=gKvaSV8gJPnF1wDpgxDVtpIyaPP/Yy9ySdCpr6AJ7Bg=; b=LHw8lx2LvAPCY4STzAJzEZ9mms JGD0AgcOIBfYApxuW++RIDfe71QlhT8IPNXYqjznbixc0DTYuYBEBLr1vJQrvPUGj400DAFJ1cbGv IErVOZMf4PiBe39gMBD6Sv021M/XSq/dD/wZD0bWmpHRfPXUF9efm4TZQKBj4D7dvIJQ=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=gKvaSV8gJPnF1wDpgxDVtpIyaPP/Yy9ySdCpr6AJ7Bg=; b=Ao8ov7sXuljUfylXLwxXBgWlCp Gqyad6VqbghD2lMj7ads+axnA0CrrSXEJBocN0x3ur3O+IndloGhXpUTaX2KmQJDYa1p/+/CY0bqj jaC4cRE8Zg4jktXX9lDADzhK59o2AcZgm0dOFDwLeRb2mremnNLeQ8TcF/SNaJ+JqYcU=; Received: from dhcp-174.greenie.muc.de ([193.149.48.174] helo=blue.greenie.muc.de) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1r3HeF-006ZzF-TL for openvpn-devel@lists.sourceforge.net; Wed, 15 Nov 2023 15:17:49 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 3AFFHfDv023958 for ; Wed, 15 Nov 2023 16:17:41 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 3AFFHfUt023957 for openvpn-devel@lists.sourceforge.net; Wed, 15 Nov 2023 16:17:41 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Wed, 15 Nov 2023 16:17:40 +0100 Message-ID: <20231115151740.23948-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: -0.0 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Max Fillinger As of version 3.5.0 the TLS-Exporter function is not yet implemented in mbed TLS, and the exporter_master_secret is not exposed to the application either. Falling back to an older PRF when claiming to [...] Content analysis details: (-0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1r3HeF-006ZzF-TL Subject: [Openvpn-devel] [PATCH v5] Disable TLS 1.3 support with mbed TLS X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1782643706815684569?= X-GMAIL-MSGID: =?utf-8?q?1782643706815684569?= From: Max Fillinger As of version 3.5.0 the TLS-Exporter function is not yet implemented in mbed TLS, and the exporter_master_secret is not exposed to the application either. Falling back to an older PRF when claiming to use TLS1.3 seems like false advertising. Change-Id: If4e1c4af9831eb1090ccb3a3c4d3e76b413f0708 Signed-off-by: Max Fillinger Acked-by: Frank Lichtenheld --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/403 This mail reflects revision 5 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/README.mbedtls b/README.mbedtls index 9b75c2b..ed9d369 100644 --- a/README.mbedtls +++ b/README.mbedtls @@ -43,19 +43,5 @@ ************************************************************************* -Mbed TLS 3 supports the TLS 1.3 protocol, but the implementation is not yet -complete. Therefore, using TLS 1.3 in the mbed TLS build of OpenVPN is not yet -supported. - -Nevertheless, here are some pointers to make it work with mbed TLS 3.5.0: - - * The stock configuration of mbed TLS does not support TLS 1.3. To enable it, - uncomment `#define MBEDTLS_SSL_PROTO_TLS1_3` in your mbedtls_config.h before - compiling the library. - * An OpenVPN client with mbed TLS cannot connect to a server with OpenSSL - using TLS 1.3. - * An OpenVPN client with OpenSSL *can* connect to a server using mbed TLS with - TLS 1.3, but *only* if `#define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE` has - been uncommented in mbedtls_config.h. - -Note that none of these limitations apply to TLS 1.2. +Mbed TLS 3 has implemented (parts of) the TLS 1.3 protocol, but we have disabled +support in OpenVPN because the TLS-Exporter function is not yet implemented. diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index 5168484..9c9167d 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -1037,17 +1037,15 @@ int tls_version_max(void) { -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) - return TLS_VER_1_3; -#elif defined(MBEDTLS_SSL_PROTO_TLS1_2) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) return TLS_VER_1_2; #elif defined(MBEDTLS_SSL_PROTO_TLS1_1) return TLS_VER_1_1; #elif defined(MBEDTLS_SSL_PROTO_TLS1) return TLS_VER_1_0; -#else /* if defined(MBEDTLS_SSL_PROTO_TLS1_3) */ - #error "mbedtls is compiled without support for any version of TLS." -#endif +#else /* defined(MBEDTLS_SSL_PROTO_TLS1_2) */ + #error "mbedtls is compiled without support for TLS 1.0, 1.1 and 1.2." +#endif /* defined(MBEDTLS_SSL_PROTO_TLS1_2) */ } /** @@ -1089,13 +1087,6 @@ break; #endif -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) - case TLS_VER_1_3: - *major = MBEDTLS_SSL_MAJOR_VERSION_3; - *minor = MBEDTLS_SSL_MINOR_VERSION_4; - break; -#endif - default: msg(M_FATAL, "%s: invalid or unsupported TLS version %d", __func__, tls_ver); break;