diff options
| author | Max Fillinger | 2023-10-25 14:19:28 +0200 |
|---|---|---|
| committer | Gert Doering | 2023-10-31 14:05:08 +0100 |
| commit | f53f06316dbb804128fc5cbee1d8edb274ce81df (patch) | |
| tree | 7a3bdcbb25f9453873b471ab1b19f40e042291a0 /README.mbedtls | |
| parent | 5af57e348ed3a5f451aca1bba5ba57b3a34e5d11 (diff) | |
| download | openvpn-f53f06316dbb804128fc5cbee1d8edb274ce81df.zip openvpn-f53f06316dbb804128fc5cbee1d8edb274ce81df.tar.gz | |
Update README.mbedtls
Change-Id: Ia61c467d85d690752011bafcf112e39d5b252aa7
Signed-off-by: Max Fillinger <max@max-fillinger.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231025121928.1031109-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27295.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'README.mbedtls')
| -rw-r--r-- | README.mbedtls | 33 |
1 files changed, 25 insertions, 8 deletions
diff --git a/README.mbedtls b/README.mbedtls index d3466fa..9b75c2b 100644 --- a/README.mbedtls +++ b/README.mbedtls @@ -1,13 +1,13 @@ -This version of OpenVPN has mbed TLS support. To enable follow the following -instructions: +This version of OpenVPN has mbed TLS support. To enable, follow the +instructions below: -To Build and Install, +To build and install, ./configure --with-crypto-library=mbedtls make make install -This version depends on mbed TLS 2.0 (and requires at least 2.0.0). +This version requires mbed TLS version >= 2.0.0 or >= 3.2.1. ************************************************************************* @@ -16,7 +16,8 @@ Warning: As of mbed TLS 2.17, it can be licensed *only* under the Apache v2.0 license. That license is incompatible with OpenVPN's GPLv2. -If you wish to distribute OpenVPN linked with mbed TLS, there are two options: +We are currently in the process of resolving this problem, but for now, if you +wish to distribute OpenVPN linked with mbed TLS, there are two options: * Ensure that your case falls under the system library exception in GPLv2, or @@ -24,9 +25,6 @@ If you wish to distribute OpenVPN linked with mbed TLS, there are two options: that may be licensed under GPLv2. Unfortunately, this version is unsupported and won't receive any more updates. -If nothing changes about the license situation, mbed TLS support may be -deprecated in a future release of OpenVPN. - ************************************************************************* Due to limitations in the mbed TLS library, the following features are missing @@ -42,3 +40,22 @@ Plugin/Script features: * X.509 subject line has a different format than the OpenSSL subject line * X.509 certificate export does not work * X.509 certificate tracking + +************************************************************************* + +Mbed TLS 3 supports the TLS 1.3 protocol, but the implementation is not yet +complete. Therefore, using TLS 1.3 in the mbed TLS build of OpenVPN is not yet +supported. + +Nevertheless, here are some pointers to make it work with mbed TLS 3.5.0: + + * The stock configuration of mbed TLS does not support TLS 1.3. To enable it, + uncomment `#define MBEDTLS_SSL_PROTO_TLS1_3` in your mbedtls_config.h before + compiling the library. + * An OpenVPN client with mbed TLS cannot connect to a server with OpenSSL + using TLS 1.3. + * An OpenVPN client with OpenSSL *can* connect to a server using mbed TLS with + TLS 1.3, but *only* if `#define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE` has + been uncommented in mbedtls_config.h. + +Note that none of these limitations apply to TLS 1.2. |