diff options
author | Arne Schwabe | 2024-01-04 15:02:14 +0100 |
---|---|---|
committer | Gert Doering | 2024-01-04 15:26:48 +0100 |
commit | fa7960961415fa4f368e9bbb39dc4047680ff30c (patch) | |
tree | 726b992b3518d97d8def77d23d02ebab50b8b005 /doc | |
parent | 76d11614797617708c31dc3db22e3568fee3de6d (diff) | |
download | openvpn-fa7960961415fa4f368e9bbb39dc4047680ff30c.zip openvpn-fa7960961415fa4f368e9bbb39dc4047680ff30c.tar.gz |
Check PRF availability on initialisation and add --force-tls-key-material-export
We now warn a user if the TLS 1.0 PRF is not supported by the cryptographic
library of the system. Also add the option --force-tls-key-material-export
that automatically rejects clients that do not support TLS Keying Material
Export and automatically enable it when TLS 1.0 PRF support is not available.
Change-Id: I04f8c7c413e7cb62c726262feee6ca89c7e86c70
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240104140214.32196-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27924.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/man-sections/protocol-options.rst | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/doc/man-sections/protocol-options.rst b/doc/man-sections/protocol-options.rst index 948c0c8..8b061d2 100644 --- a/doc/man-sections/protocol-options.rst +++ b/doc/man-sections/protocol-options.rst @@ -242,3 +242,11 @@ configured in a compatible way between both the local and remote side. a key renegotiation begins (default :code:`3600` seconds). This feature allows for a graceful transition from old to new key, and removes the key renegotiation sequence from the critical path of tunnel data forwarding. + +--force-tls-key-material-export + This option is only available in --mode server and forces to use + Keying Material Exporters (RFC 5705) for clients. This can be used to + simulate an environment where the cryptographic library does not support + the older method to generate data channel keys anymore. This option is + intended to be a test option and might be removed in a future OpenVPN + version without notice. |