diff options
author | Max Fillinger | 2023-11-15 16:17:40 +0100 |
---|---|---|
committer | Gert Doering | 2024-01-17 17:57:53 +0100 |
commit | 7fa534dbb81c7e3d526a2e9110f35d11de26105c (patch) | |
tree | fba2f4eac488bf319a73acd0a95f6c511e6c2390 | |
parent | 1aa2995ebc06a2b8d6df48eb63eb15482fd07865 (diff) | |
download | openvpn-7fa534dbb81c7e3d526a2e9110f35d11de26105c.zip openvpn-7fa534dbb81c7e3d526a2e9110f35d11de26105c.tar.gz |
Disable TLS 1.3 support with mbed TLS
As of version 3.5.0 the TLS-Exporter function is not yet implemented in
mbed TLS, and the exporter_master_secret is not exposed to the
application either. Falling back to an older PRF when claiming to use
TLS1.3 seems like false advertising.
Change-Id: If4e1c4af9831eb1090ccb3a3c4d3e76b413f0708
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231115151740.23948-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27453.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit efad93d049c318a3bd9ea5956c6ac8237b8d6d70)
-rw-r--r-- | README.mbedtls | 18 | ||||
-rw-r--r-- | src/openvpn/ssl_mbedtls.c | 17 |
2 files changed, 6 insertions, 29 deletions
diff --git a/README.mbedtls b/README.mbedtls index 7d514c0..124eaa2 100644 --- a/README.mbedtls +++ b/README.mbedtls @@ -42,19 +42,5 @@ Plugin/Script features: ************************************************************************* -Mbed TLS 3 supports the TLS 1.3 protocol, but the implementation is not yet -complete. Therefore, using TLS 1.3 in the mbed TLS build of OpenVPN is not yet -supported. - -Nevertheless, here are some pointers to make it work with mbed TLS 3.5.0: - - * The stock configuration of mbed TLS does not support TLS 1.3. To enable it, - uncomment `#define MBEDTLS_SSL_PROTO_TLS1_3` in your mbedtls_config.h before - compiling the library. - * An OpenVPN client with mbed TLS cannot connect to a server with OpenSSL - using TLS 1.3. - * An OpenVPN client with OpenSSL *can* connect to a server using mbed TLS with - TLS 1.3, but *only* if `#define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE` has - been uncommented in mbedtls_config.h. - -Note that none of these limitations apply to TLS 1.2. +Mbed TLS 3 has implemented (parts of) the TLS 1.3 protocol, but we have disabled +support in OpenVPN because the TLS-Exporter function is not yet implemented. diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index 4ece37e..6a3cd44 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -980,17 +980,15 @@ tls_ctx_personalise_random(struct tls_root_ctx *ctx) int tls_version_max(void) { -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) - return TLS_VER_1_3; -#elif defined(MBEDTLS_SSL_PROTO_TLS1_2) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) return TLS_VER_1_2; #elif defined(MBEDTLS_SSL_PROTO_TLS1_1) return TLS_VER_1_1; #elif defined(MBEDTLS_SSL_PROTO_TLS1) return TLS_VER_1_0; -#else /* if defined(MBEDTLS_SSL_PROTO_TLS1_3) */ - #error "mbedtls is compiled without support for any version of TLS." -#endif +#else /* defined(MBEDTLS_SSL_PROTO_TLS1_2) */ + #error "mbedtls is compiled without support for TLS 1.0, 1.1 and 1.2." +#endif /* defined(MBEDTLS_SSL_PROTO_TLS1_2) */ } /** @@ -1032,13 +1030,6 @@ tls_version_to_major_minor(int tls_ver, int *major, int *minor) break; #endif -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) - case TLS_VER_1_3: - *major = MBEDTLS_SSL_MAJOR_VERSION_3; - *minor = MBEDTLS_SSL_MINOR_VERSION_4; - break; -#endif - default: msg(M_FATAL, "%s: invalid or unsupported TLS version %d", __func__, tls_ver); break; |