There were references in our documentation to the now deprecated PolarSSL
library, which have changed name upstream to mbed TLS.
In addition, where appropriate, the documentation now considers only
mbed TLS 2.0 and newer. This is in accordance with the requirements
./configure sets.
[DS: On-the-fly change - Updated Makefile.am to use README.mbedtls
instead of README.polarssl. This ensures make dist and buildbots
won't explode]
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20170822114715.14225-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15309.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
... | ... |
@@ -75,8 +75,8 @@ REQUIRES: |
75 | 75 |
OPTIONAL (but recommended): |
76 | 76 |
(1) OpenSSL library, necessary for encryption, version 0.9.8 or higher |
77 | 77 |
required, available from http://www.openssl.org/ |
78 |
- (2) PolarSSL library, an alternative for encryption, version 1.1 or higher |
|
79 |
- required, available from https://polarssl.org/ |
|
78 |
+ (2) mbed TLS library, an alternative for encryption, version 2.0 or higher |
|
79 |
+ required, available from https://tls.mbed.org/ |
|
80 | 80 |
(3) LZO real-time compression library, required for link compression, |
81 | 81 |
available from http://www.oberhumer.com/opensource/lzo/ |
82 | 82 |
OpenBSD users can use ports or packages to install lzo, but remember |
... | ... |
@@ -58,7 +58,7 @@ SUBDIRS = build distro include src sample doc vendor tests |
58 | 58 |
dist_doc_DATA = \ |
59 | 59 |
README \ |
60 | 60 |
README.IPv6 \ |
61 |
- README.polarssl \ |
|
61 |
+ README.mbedtls \ |
|
62 | 62 |
Changes.rst \ |
63 | 63 |
COPYRIGHT.GPL \ |
64 | 64 |
COPYING |
... | ... |
@@ -68,7 +68,7 @@ dist_noinst_DATA = \ |
68 | 68 |
.gitattributes \ |
69 | 69 |
PORTS \ |
70 | 70 |
README.IPv6 TODO.IPv6 \ |
71 |
- README.polarssl \ |
|
71 |
+ README.mbedtls \ |
|
72 | 72 |
openvpn.sln \ |
73 | 73 |
msvc-env.bat \ |
74 | 74 |
msvc-dev.bat \ |
75 | 75 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,26 @@ |
0 |
+This version of OpenVPN has mbed TLS support. To enable follow the following |
|
1 |
+instructions: |
|
2 |
+ |
|
3 |
+To Build and Install, |
|
4 |
+ |
|
5 |
+ ./configure --with-crypto-library=mbedtls |
|
6 |
+ make |
|
7 |
+ make install |
|
8 |
+ |
|
9 |
+This version depends on mbed TLS 2.0 (and requires at least 2.0.0). |
|
10 |
+ |
|
11 |
+************************************************************************* |
|
12 |
+ |
|
13 |
+Due to limitations in the mbed TLS library, the following features are missing |
|
14 |
+in the mbed TLS version of OpenVPN: |
|
15 |
+ |
|
16 |
+ * PKCS#12 file support |
|
17 |
+ * --capath support - Loading certificate authorities from a directory |
|
18 |
+ * Windows CryptoAPI support |
|
19 |
+ * X.509 alternative username fields (must be "CN") |
|
20 |
+ |
|
21 |
+Plugin/Script features: |
|
22 |
+ |
|
23 |
+ * X.509 subject line has a different format than the OpenSSL subject line |
|
24 |
+ * X.509 certificate export does not work |
|
25 |
+ * X.509 certificate tracking |
0 | 26 |
deleted file mode 100644 |
... | ... |
@@ -1,26 +0,0 @@ |
1 |
-This version of OpenVPN has PolarSSL support. To enable follow the following |
|
2 |
-instructions: |
|
3 |
- |
|
4 |
-To Build and Install, |
|
5 |
- |
|
6 |
- ./configure --with-crypto-library=polarssl |
|
7 |
- make |
|
8 |
- make install |
|
9 |
- |
|
10 |
-This version depends on PolarSSL 1.3 (and requires at least 1.3.3). |
|
11 |
- |
|
12 |
-************************************************************************* |
|
13 |
- |
|
14 |
-Due to limitations in the PolarSSL library, the following features are missing |
|
15 |
-in the PolarSSL version of OpenVPN: |
|
16 |
- |
|
17 |
- * PKCS#12 file support |
|
18 |
- * --capath support - Loading certificate authorities from a directory |
|
19 |
- * Windows CryptoAPI support |
|
20 |
- * X.509 alternative username fields (must be "CN") |
|
21 |
- |
|
22 |
-Plugin/Script features: |
|
23 |
- |
|
24 |
- * X.509 subject line has a different format than the OpenSSL subject line |
|
25 |
- * X.509 certificate export does not work |
|
26 |
- * X.509 certificate tracking |
... | ... |
@@ -78,7 +78,7 @@ |
78 | 78 |
* |
79 | 79 |
* @subsection key_generation_random Source of random material |
80 | 80 |
* |
81 |
- * OpenVPN uses the either the OpenSSL library or the PolarSSL library as its |
|
81 |
+ * OpenVPN uses the either the OpenSSL library or the mbed TLS library as its |
|
82 | 82 |
* source of random material. |
83 | 83 |
* |
84 | 84 |
* In OpenSSL, the \c RAND_bytes() function is called |
... | ... |
@@ -91,8 +91,8 @@ |
91 | 91 |
* - For OpenSSL's support for external crypto modules: |
92 | 92 |
* http://www.openssl.org/docs/crypto/engine.html |
93 | 93 |
* |
94 |
- * In PolarSSL, the Havege random number generator is used. For details, see |
|
95 |
- * the PolarSSL documentation. |
|
94 |
+ * In mbed TLS, the Havege random number generator is used. For details, see |
|
95 |
+ * the mbed TLS documentation. |
|
96 | 96 |
* |
97 | 97 |
* @section key_generation_exchange Key exchange: |
98 | 98 |
* |
... | ... |
@@ -4472,7 +4472,7 @@ datagram replay protection as the IV. |
4472 | 4472 |
.\"********************************************************* |
4473 | 4473 |
.TP |
4474 | 4474 |
.B \-\-use\-prediction\-resistance |
4475 |
-Enable prediction resistance on PolarSSL's RNG. |
|
4475 |
+Enable prediction resistance on mbed TLS's RNG. |
|
4476 | 4476 |
|
4477 | 4477 |
Enabling prediction resistance causes the RNG to reseed in each |
4478 | 4478 |
call for random. Reseeding this often can quickly deplete the kernel |
... | ... |
@@ -4481,8 +4481,6 @@ entropy pool. |
4481 | 4481 |
If you need this option, please consider running a daemon that adds |
4482 | 4482 |
entropy to the kernel pool. |
4483 | 4483 |
|
4484 |
-Note that this option only works with PolarSSL versions greater |
|
4485 |
-than 1.1. |
|
4486 | 4484 |
.\"********************************************************* |
4487 | 4485 |
.TP |
4488 | 4486 |
.B \-\-test\-crypto |
... | ... |
@@ -4583,7 +4581,7 @@ they are distributed with OpenVPN, they are totally insecure. |
4583 | 4583 |
.TP |
4584 | 4584 |
.B \-\-capath dir |
4585 | 4585 |
Directory containing trusted certificates (CAs and CRLs). |
4586 |
-Not available with PolarSSL. |
|
4586 |
+Not available with mbed TLS. |
|
4587 | 4587 |
|
4588 | 4588 |
When using the |
4589 | 4589 |
.B \-\-capath |
... | ... |
@@ -4612,7 +4610,7 @@ Set |
4612 | 4612 |
.B file=none |
4613 | 4613 |
to disable Diffie Hellman key exchange (and use ECDH only). Note that this |
4614 | 4614 |
requires peers to be using an SSL library that supports ECDH TLS cipher suites |
4615 |
-(e.g. OpenSSL 1.0.1+, or PolarSSL 1.3+). |
|
4615 |
+(e.g. OpenSSL 1.0.1+, or mbed TLS 2.0+). |
|
4616 | 4616 |
|
4617 | 4617 |
Use |
4618 | 4618 |
.B openssl dhparam \-out dh2048.pem 2048 |
... | ... |
@@ -4717,7 +4715,7 @@ This option can be used instead of |
4717 | 4717 |
.B \-\-ca, \-\-cert, |
4718 | 4718 |
and |
4719 | 4719 |
.B \-\-key. |
4720 |
-Not available with PolarSSL. |
|
4720 |
+Not available with mbed TLS. |
|
4721 | 4721 |
.\"********************************************************* |
4722 | 4722 |
.TP |
4723 | 4723 |
.B \-\-verify\-hash hash [algo] |
... | ... |
@@ -4900,7 +4898,7 @@ channel, over which the keys that are used to protect the actual VPN traffic |
4900 | 4900 |
are exchanged. |
4901 | 4901 |
|
4902 | 4902 |
The supplied list of ciphers is (after potential OpenSSL/IANA name translation) |
4903 |
-simply supplied to the crypto library. Please see the OpenSSL and/or PolarSSL |
|
4903 |
+simply supplied to the crypto library. Please see the OpenSSL and/or mbed TLS |
|
4904 | 4904 |
documentation for details on the cipher list interpretation. |
4905 | 4905 |
|
4906 | 4906 |
Use |
... | ... |
@@ -4913,8 +4911,8 @@ is an expert feature, which \- if used correcly \- can improve the security of |
4913 | 4913 |
your VPN connection. But it is also easy to unwittingly use it to carefully |
4914 | 4914 |
align a gun with your foot, or just break your connection. Use with care! |
4915 | 4915 |
|
4916 |
-The default for \-\-tls\-cipher is to use PolarSSL's default cipher list |
|
4917 |
-when using PolarSSL or |
|
4916 |
+The default for \-\-tls\-cipher is to use mbed TLS's default cipher list |
|
4917 |
+when using mbed TLS or |
|
4918 | 4918 |
"DEFAULT:!EXP:!LOW:!MEDIUM:!kDH:!kECDH:!DSS:!PSK:!SRP:!kRSA" when using |
4919 | 4919 |
OpenSSL. |
4920 | 4920 |
.\"********************************************************* |