Opened 4 years ago

Closed 3 years ago

Last modified 2 years ago

#1116 closed Feature Wish (fixed)

TLS 1.3 / openssl 1.1.1

Reported by: sonuser Owned by: Steffan Karger
Priority: major Milestone: release 2.4.6
Component: Crypto Version:
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:


Since TLSv1.3 has a RFC doc now ( and openssl released version 1.1.1 with TLS 1.3 support, will OpenVPN also get TLS 1.3 / the new openssl Version?

Also openssl 1.1.1 is LTS now and they say "Since 1.1.1 is our new LTS release we are strongly advising all users to upgrade as soon as possible." in their post here:

Change History (4)

comment:1 Changed 4 years ago by tct


comment:2 Changed 3 years ago by Gert Döring

Milestone: release 2.4.7release 2.4.9

OpenVPN supports compilation with OpenSSL 1.1.1 just fine now. So the feature request has been fulfilled :-)

What is missing is "build windows installers with 1.1.1" but I understand that this is just pending management-external-key adjustments (padding) which are in queue from plaisthos.

comment:3 Changed 3 years ago by Steffan Karger

Milestone: release 2.4.9release 2.4.6
Resolution: fixed
Status: newclosed

Although some corner cases around using external signatures (pkcs11, cryptoapi, management-external-key) might not yet work with TLS 1.3, all the common use cases are supported.

Closing this ticket :)

comment:4 Changed 2 years ago by becm

Padding support for TLS 1.3 with external signatures:
pkcs11: required update to pkcs11-helper library (included since v2.4.10 and v2.5.0 Windows builds)
cryptoapi: via CNG in OpenVPN 2.5
management-external-key: new protocol version with OpenVPN 2.5

Last edited 2 years ago by becm (previous) (diff)
Note: See TracTickets for help on using tickets.