mirror of
https://github.com/OpenVPN/openvpn.git
synced 2026-02-03 20:39:40 -05:00
abed088c9b
We need mbedtls_ssl_export_keying_material() to support TLS 1.3. The workaround we use for TLS 1.2 does not work for TLS 1.3. Change-Id: If5e832866b312a2f8a1ce6b4e00d40e3dcf63681 Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Message-Id: <20250603140631.11696-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31858.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
34 lines
1.1 KiB
Text
34 lines
1.1 KiB
Text
This version of OpenVPN has mbed TLS support. To enable, follow the
|
|
instructions below:
|
|
|
|
To build and install,
|
|
|
|
./configure --with-crypto-library=mbedtls
|
|
make
|
|
make install
|
|
|
|
This version requires mbed TLS version >= 2.0.0 or >= 3.2.1.
|
|
|
|
*************************************************************************
|
|
|
|
Due to limitations in the mbed TLS library, the following features are missing
|
|
in the mbed TLS version of OpenVPN:
|
|
|
|
* PKCS#12 file support
|
|
* --capath support - Loading certificate authorities from a directory
|
|
* Windows CryptoAPI support
|
|
* X.509 alternative username fields (must be "CN")
|
|
|
|
Plugin/Script features:
|
|
|
|
* X.509 subject line has a different format than the OpenSSL subject line
|
|
* X.509 certificate tracking
|
|
|
|
*************************************************************************
|
|
|
|
Mbed TLS 3 has implemented TLS 1.3, but support in OpenVPN requires the
|
|
function mbedtls_ssl_export_keying_material() which is currently not in
|
|
any released version. It is available when building mbed TLS from source
|
|
(mbedtls-3.6 or development branch).
|
|
|
|
Without this function, only TLS 1.2 is available.
|