upstream/openvpn
1
0
Fork 0
mirror of https://github.com/OpenVPN/openvpn.git synced 2026-02-03 20:39:40 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
openvpn/README.wolfssl
rein.vanbaaren 1b133cce83 Added PQE to WolfSSL 
Change-Id: Ie0529c2074964b3be034f01e0ef53090a6edbd35
Signed-off-by: comododragon <rein.vanbaaren@fox-it.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20250707133447.12404-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32043.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2025-07-07 16:06:04 +02:00

60 lines
2.2 KiB
Text
Raw Blame History

Support for wolfSSL is implemented and maintained by wolfSSL Inc. The support is
implemented using wolfSSL's compatibility layer. The wolfSSL support in OpenVPN
receives very limited testing/support from the OpenVPN community itself.
If bugs in OpenVPN when using wolfSSL are encountered, the user should try to
also compile OpenVPN with OpenSSL to determine if these are bugs in the
wolfSSL TLS implementation or OpenVPN itself. If bugs are caused by compiling
with wolfSSL, please contact support@wolfssl.com directly.
To Build and Install,
./configure --with-crypto-library=wolfssl
make
make install
The wolfSSL library will include the installed options.h file by default.
To include a custom user_settings.h file for wolfSSL,
./configure --with-crypto-library=wolfssl --disable-wolfssl-options-h
make
make install
*************************************************************************
Due to limitations in the wolfSSL TLS library or its compatibility layer, the
following features are missing
* blowfish support (BF-CBC), you must use something like
cipher AES-128-CBC to avoid trying to use BF-CBC
* Windows CryptoAPI support
*************************************************************************
To build WolfSSL with post-quantum KEMs built in, the following command is used:
./configure --enable-openvpn --enable-kyber=all --enable-curve25519
WolfSSL supports the following post-quantum KEMs and post-quantum hybrid KEMs which must be specified
using the tls-groups option in an OpenVPN config. Unlike OpenSSL, which includes X25519MLKEM768
in the default config, WolfSSL requires explicit configuration of tls-groups to include
at least one post-quantum KEM.
ML_KEM_512
ML_KEM_768
ML_KEM_1024
P256_ML_KEM_512
X25519_ML_KEM_512
P384_ML_KEM_768
P256_ML_KEM_768
X448_ML_KEM_768
X25519_ML_KEM_768
P384_ML_KEM_1024
P521_ML_KEM_1024
The naming conventions of algorithms differ between WolfSSL and OpenSSL. An example is that
OpenSSL omits underscores for their naming notation whereas WolfSSL expects them. Additionally,
OpenSSL does not accept the P curve notation and instead uses the equivalent secp notation.
A specific example is that WolfSSL expects P384_ML_KEM_1024, while OpenSSL expects secp384r1MLKEM1024.
Reference in a new issue View git blame Copy permalink