Opened 3 years ago

Closed 2 years ago

Last modified 12 months ago

#1116 closed Feature Wish (fixed)

TLS 1.3 / openssl 1.1.1

Reported by: sonuser Owned by: Steffan Karger
Priority: major Milestone: release 2.4.6
Component: Crypto Version:
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

Since TLSv1.3 has a RFC doc now (https://tools.ietf.org/html/rfc8446) and openssl released version 1.1.1 with TLS 1.3 support, will OpenVPN also get TLS 1.3 / the new openssl Version?

https://github.com/openssl/openssl/releases/tag/OpenSSL_1_1_1
https://wiki.openssl.org/index.php/TLS1.3

Also openssl 1.1.1 is LTS now and they say "Since 1.1.1 is our new LTS release we are strongly advising all users to upgrade as soon as possible." in their post here: https://www.openssl.org/blog/blog/2018/09/11/release111/

Change History (4)

comment:1 Changed 3 years ago by tct

cc

comment:2 Changed 2 years ago by Gert Döring

Milestone: release 2.4.7release 2.4.9

OpenVPN supports compilation with OpenSSL 1.1.1 just fine now. So the feature request has been fulfilled :-)

What is missing is "build windows installers with 1.1.1" but I understand that this is just pending management-external-key adjustments (padding) which are in queue from plaisthos.

comment:3 Changed 2 years ago by Steffan Karger

Milestone: release 2.4.9release 2.4.6
Resolution: fixed
Status: newclosed

Although some corner cases around using external signatures (pkcs11, cryptoapi, management-external-key) might not yet work with TLS 1.3, all the common use cases are supported.

Closing this ticket :)

comment:4 Changed 12 months ago by becm

Padding support for TLS 1.3 with external signatures:
pkcs11: required update to pkcs11-helper library (included since v2.4.10 and v2.5.0 Windows builds)
cryptoapi: via CNG in OpenVPN 2.5
management-external-key: new protocol version with OpenVPN 2.5

Last edited 12 months ago by becm (previous) (diff)
Note: See TracTickets for help on using tickets.