Attention is currently required from: MaxF, plaisthos.
Hello flichtenheld, plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/403?usp=email
to look at the new patch set (#5).
The change is no longer submittable: checks~ChecksSubmitRule is unsatisfied now.
Change subject: Disable TLS 1.3 support with mbed TLS
......................................................................
Disable TLS 1.3 support with mbed TLS
As of version 3.5.0 the TLS-Exporter function is not yet implemented in
mbed TLS, and the exporter_master_secret is not exposed to the
application either. Falling back to an older PRF when claiming to use
TLS1.3 seems like false advertising.
Change-Id: If4e1c4af9831eb1090ccb3a3c4d3e76b413f0708
Signed-off-by: Max Fillinger <[email protected]>
---
M README.mbedtls
M src/openvpn/ssl_mbedtls.c
2 files changed, 6 insertions(+), 29 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/03/403/5
diff --git a/README.mbedtls b/README.mbedtls
index 9b75c2b..ed9d369 100644
--- a/README.mbedtls
+++ b/README.mbedtls
@@ -43,19 +43,5 @@
*************************************************************************
-Mbed TLS 3 supports the TLS 1.3 protocol, but the implementation is not yet
-complete. Therefore, using TLS 1.3 in the mbed TLS build of OpenVPN is not yet
-supported.
-
-Nevertheless, here are some pointers to make it work with mbed TLS 3.5.0:
-
- * The stock configuration of mbed TLS does not support TLS 1.3. To enable it,
- uncomment `#define MBEDTLS_SSL_PROTO_TLS1_3` in your mbedtls_config.h before
- compiling the library.
- * An OpenVPN client with mbed TLS cannot connect to a server with OpenSSL
- using TLS 1.3.
- * An OpenVPN client with OpenSSL *can* connect to a server using mbed TLS with
- TLS 1.3, but *only* if `#define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE` has
- been uncommented in mbedtls_config.h.
-
-Note that none of these limitations apply to TLS 1.2.
+Mbed TLS 3 has implemented (parts of) the TLS 1.3 protocol, but we have
disabled
+support in OpenVPN because the TLS-Exporter function is not yet implemented.
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index 5168484..9c9167d 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -1037,17 +1037,15 @@
int
tls_version_max(void)
{
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- return TLS_VER_1_3;
-#elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
return TLS_VER_1_2;
#elif defined(MBEDTLS_SSL_PROTO_TLS1_1)
return TLS_VER_1_1;
#elif defined(MBEDTLS_SSL_PROTO_TLS1)
return TLS_VER_1_0;
-#else /* if defined(MBEDTLS_SSL_PROTO_TLS1_3) */
- #error "mbedtls is compiled without support for any version of TLS."
-#endif
+#else /* defined(MBEDTLS_SSL_PROTO_TLS1_2) */
+ #error "mbedtls is compiled without support for TLS 1.0, 1.1 and 1.2."
+#endif /* defined(MBEDTLS_SSL_PROTO_TLS1_2) */
}
/**
@@ -1089,13 +1087,6 @@
break;
#endif
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- case TLS_VER_1_3:
- *major = MBEDTLS_SSL_MAJOR_VERSION_3;
- *minor = MBEDTLS_SSL_MINOR_VERSION_4;
- break;
-#endif
-
default:
msg(M_FATAL, "%s: invalid or unsupported TLS version %d",
__func__, tls_ver);
break;
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/403?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: If4e1c4af9831eb1090ccb3a3c4d3e76b413f0708
Gerrit-Change-Number: 403
Gerrit-PatchSet: 5
Gerrit-Owner: MaxF <[email protected]>
Gerrit-Reviewer: flichtenheld <[email protected]>
Gerrit-Reviewer: plaisthos <[email protected]>
Gerrit-CC: openvpn-devel <[email protected]>
Gerrit-Attention: plaisthos <[email protected]>
Gerrit-Attention: MaxF <[email protected]>
Gerrit-MessageType: newpatchset
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
