Browse code
Update README.mbedtls
Change-Id: Ia61c467d85d690752011bafcf112e39d5b252aa7
Signed-off-by: Max Fillinger <max@max-fillinger.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231025121928.1031109-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27295.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Max Fillinger authored on 2023/10/25 21:19:28Showing 1 changed files
| ... | ... |
@@ -1,13 +1,13 @@ |
| 1 |
-This version of OpenVPN has mbed TLS support. To enable follow the following |
|
| 2 |
-instructions: |
|
| 1 |
+This version of OpenVPN has mbed TLS support. To enable, follow the |
|
| 2 |
+instructions below: |
|
| 3 | 3 |
|
| 4 |
-To Build and Install, |
|
| 4 |
+To build and install, |
|
| 5 | 5 |
|
| 6 | 6 |
./configure --with-crypto-library=mbedtls |
| 7 | 7 |
make |
| 8 | 8 |
make install |
| 9 | 9 |
|
| 10 |
-This version depends on mbed TLS 2.0 (and requires at least 2.0.0). |
|
| 10 |
+This version requires mbed TLS version >= 2.0.0 or >= 3.2.1. |
|
| 11 | 11 |
|
| 12 | 12 |
************************************************************************* |
| 13 | 13 |
|
| ... | ... |
@@ -16,7 +16,8 @@ Warning: |
| 16 | 16 |
As of mbed TLS 2.17, it can be licensed *only* under the Apache v2.0 license. |
| 17 | 17 |
That license is incompatible with OpenVPN's GPLv2. |
| 18 | 18 |
|
| 19 |
-If you wish to distribute OpenVPN linked with mbed TLS, there are two options: |
|
| 19 |
+We are currently in the process of resolving this problem, but for now, if you |
|
| 20 |
+wish to distribute OpenVPN linked with mbed TLS, there are two options: |
|
| 20 | 21 |
|
| 21 | 22 |
* Ensure that your case falls under the system library exception in GPLv2, or |
| 22 | 23 |
|
| ... | ... |
@@ -24,9 +25,6 @@ If you wish to distribute OpenVPN linked with mbed TLS, there are two options: |
| 24 | 24 |
that may be licensed under GPLv2. Unfortunately, this version is |
| 25 | 25 |
unsupported and won't receive any more updates. |
| 26 | 26 |
|
| 27 |
-If nothing changes about the license situation, mbed TLS support may be |
|
| 28 |
-deprecated in a future release of OpenVPN. |
|
| 29 |
- |
|
| 30 | 27 |
************************************************************************* |
| 31 | 28 |
|
| 32 | 29 |
Due to limitations in the mbed TLS library, the following features are missing |
| ... | ... |
@@ -42,3 +40,22 @@ Plugin/Script features: |
| 42 | 42 |
* X.509 subject line has a different format than the OpenSSL subject line |
| 43 | 43 |
* X.509 certificate export does not work |
| 44 | 44 |
* X.509 certificate tracking |
| 45 |
+ |
|
| 46 |
+************************************************************************* |
|
| 47 |
+ |
|
| 48 |
+Mbed TLS 3 supports the TLS 1.3 protocol, but the implementation is not yet |
|
| 49 |
+complete. Therefore, using TLS 1.3 in the mbed TLS build of OpenVPN is not yet |
|
| 50 |
+supported. |
|
| 51 |
+ |
|
| 52 |
+Nevertheless, here are some pointers to make it work with mbed TLS 3.5.0: |
|
| 53 |
+ |
|
| 54 |
+ * The stock configuration of mbed TLS does not support TLS 1.3. To enable it, |
|
| 55 |
+ uncomment `#define MBEDTLS_SSL_PROTO_TLS1_3` in your mbedtls_config.h before |
|
| 56 |
+ compiling the library. |
|
| 57 |
+ * An OpenVPN client with mbed TLS cannot connect to a server with OpenSSL |
|
| 58 |
+ using TLS 1.3. |
|
| 59 |
+ * An OpenVPN client with OpenSSL *can* connect to a server using mbed TLS with |
|
| 60 |
+ TLS 1.3, but *only* if `#define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE` has |
|
| 61 |
+ been uncommented in mbedtls_config.h. |
|
| 62 |
+ |
|
| 63 |
+Note that none of these limitations apply to TLS 1.2. |