upstream/openvpn
1
0
Fork 0
mirror of https://github.com/OpenVPN/openvpn.git synced 2026-02-03 20:39:40 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
openvpn/README.wolfssl
Arne Schwabe 603fe533a4 Add a section about wolfSSL GPLv3 and point out missing TLS PRF support 
Change-Id: I4f9a6baf2bdb45e5b79bf13c9f6fce3b7a2e982c
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1416
Message-Id: <20251204124221.15206-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34840.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2025-12-04 14:59:08 +01:00

70 lines
2.7 KiB
Text
Raw Permalink Blame History

Support for wolfSSL is implemented and maintained by wolfSSL Inc. The support is
implemented using wolfSSL's compatibility layer. The wolfSSL support in OpenVPN
receives very limited testing/support from the OpenVPN community itself.
If bugs in OpenVPN when using wolfSSL are encountered, the user should try to
also compile OpenVPN with OpenSSL to determine if these are bugs in the
wolfSSL TLS implementation or OpenVPN itself. If bugs are caused by compiling
with wolfSSL, please contact support@wolfssl.com directly.
To Build and Install,
./configure --with-crypto-library=wolfssl
make
make install
The wolfSSL library will include the installed options.h file by default.
To include a custom user_settings.h file for wolfSSL,
./configure --with-crypto-library=wolfssl --disable-wolfssl-options-h
make
make install
*************************************************************************
Due to limitations in the wolfSSL TLS library or its compatibility layer, the
following features are missing
* blowfish support (BF-CBC), you must use something like
cipher AES-128-CBC to avoid trying to use BF-CBC
* Windows CryptoAPI support
* No TLS1.0 PRF support (No compaitbility with OpenVPN 2.5 or older or
other build that do not support TLS EKM)
*************************************************************************
Newer wolfSSL versions (5.8.2 and newer) are GPLv3 licensed and this license is not
compatible with OpenVPN's GPLv2 license.
However wolfSSL Inc has granted an exception to combine the wolfSSL library
with OpenVPN and OpenVPN-NL (https://github.com/wolfSSL/wolfssl/blob/master/LICENSING)
with version 5.8.4 and later.
*************************************************************************
To build WolfSSL with post-quantum KEMs built in, the following command is used:
./configure --enable-openvpn --enable-kyber=all --enable-curve25519
WolfSSL supports the following post-quantum KEMs and post-quantum hybrid KEMs which must be specified
using the tls-groups option in an OpenVPN config. Unlike OpenSSL, which includes X25519MLKEM768
in the default config, WolfSSL requires explicit configuration of tls-groups to include
at least one post-quantum KEM.
ML_KEM_512
ML_KEM_768
ML_KEM_1024
P256_ML_KEM_512
X25519_ML_KEM_512
P384_ML_KEM_768
P256_ML_KEM_768
X448_ML_KEM_768
X25519_ML_KEM_768
P384_ML_KEM_1024
P521_ML_KEM_1024
The naming conventions of algorithms differ between WolfSSL and OpenSSL. An example is that
OpenSSL omits underscores for their naming notation whereas WolfSSL expects them. Additionally,
OpenSSL does not accept the P curve notation and instead uses the equivalent secp notation.
A specific example is that WolfSSL expects P384_ML_KEM_1024, while OpenSSL expects secp384r1MLKEM1024.
Reference in a new issue View git blame Copy permalink