OpenVPN/openvpn
1
0
Fork 0
mirror of https://github.com/OpenVPN/openvpn.git synced 2025-05-09 05:31:05 +08:00
Code Issues Packages Projects Releases Wiki Activity

docs: Replace all PolarSSL references to mbed TLS

Browse Source 
There were references in our documentation to the now deprecated PolarSSL
library, which have changed name upstream to mbed TLS.

In addition, where appropriate, the documentation now considers only
mbed TLS 2.0 and newer.  This is in accordance with the requirements
./configure sets.

[DS: On-the-fly change - Updated Makefile.am to use README.mbedtls
     instead of README.polarssl. This ensures make dist and buildbots
     won't explode]

Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20170822114715.14225-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15309.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
This commit is contained in:
David Sommerseth 2017-08-22 13:47:15 +02:00
parent e0a6afa12e
commit ed0e79938e
No known key found for this signature in database
GPG Key ID: 86CF944C9671FDF2
6 changed files with 20 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
INSTALL
View File

@ -75,8 +75,8 @@ REQUIRES:
OPTIONAL (but recommended): OPTIONAL (but recommended):
(1) OpenSSL library, necessary for encryption, version 0.9.8 or higher (1) OpenSSL library, necessary for encryption, version 0.9.8 or higher
required, available from http://www.openssl.org/ required, available from http://www.openssl.org/
(2) PolarSSL library, an alternative for encryption, version 1.1 or higher (2) mbed TLS library, an alternative for encryption, version 2.0 or higher
required, available from https://polarssl.org/ required, available from https://tls.mbed.org/
(3) LZO real-time compression library, required for link compression, (3) LZO real-time compression library, required for link compression,
available from http://www.oberhumer.com/opensource/lzo/ available from http://www.oberhumer.com/opensource/lzo/
OpenBSD users can use ports or packages to install lzo, but remember OpenBSD users can use ports or packages to install lzo, but remember

4
Makefile.am
View File

@ -58,7 +58,7 @@ SUBDIRS = build distro include src sample doc vendor tests
dist_doc_DATA = \ dist_doc_DATA = \
README \ README \
README.IPv6 \ README.IPv6 \
README.polarssl \ README.mbedtls \
Changes.rst \ Changes.rst \
COPYRIGHT.GPL \ COPYRIGHT.GPL \
COPYING COPYING
@ -68,7 +68,7 @@ dist_noinst_DATA = \
.gitattributes \ .gitattributes \
PORTS \ PORTS \
README.IPv6 TODO.IPv6 \ README.IPv6 TODO.IPv6 \
README.polarssl \ README.mbedtls \
openvpn.sln \ openvpn.sln \
msvc-env.bat \ msvc-env.bat \
msvc-dev.bat \ msvc-dev.bat \

10
README.polarssl → README.mbedtls
View File

@ -1,18 +1,18 @@
This version of OpenVPN has PolarSSL support. To enable follow the following This version of OpenVPN has mbed TLS support. To enable follow the following
instructions: instructions:
To Build and Install, To Build and Install,
./configure --with-crypto-library=polarssl ./configure --with-crypto-library=mbedtls
make make
make install make install
This version depends on PolarSSL 1.3 (and requires at least 1.3.3). This version depends on mbed TLS 2.0 (and requires at least 2.0.0).
************************************************************************* *************************************************************************
Due to limitations in the PolarSSL library, the following features are missing Due to limitations in the mbed TLS library, the following features are missing
in the PolarSSL version of OpenVPN: in the mbed TLS version of OpenVPN:
* PKCS#12 file support * PKCS#12 file support
* --capath support - Loading certificate authorities from a directory * --capath support - Loading certificate authorities from a directory

2
doc/doxygen/doc_data_crypto.h
View File

@ -68,5 +68,5 @@
* *
* @par Crypto algorithms * @par Crypto algorithms
* This module uses the crypto algorithm implementations of the external * This module uses the crypto algorithm implementations of the external
* crypto library (currently either OpenSSL (default), or PolarSSL). * crypto library (currently either OpenSSL (default), or mbed TLS).
*/ */

6
doc/doxygen/doc_key_generation.h
View File

@ -78,7 +78,7 @@
* *
* @subsection key_generation_random Source of random material * @subsection key_generation_random Source of random material
* *
* OpenVPN uses the either the OpenSSL library or the PolarSSL library as its * OpenVPN uses the either the OpenSSL library or the mbed TLS library as its
* source of random material. * source of random material.
* *
* In OpenSSL, the \c RAND_bytes() function is called * In OpenSSL, the \c RAND_bytes() function is called
@ -91,8 +91,8 @@
* - For OpenSSL's support for external crypto modules: * - For OpenSSL's support for external crypto modules:
* http://www.openssl.org/docs/crypto/engine.html * http://www.openssl.org/docs/crypto/engine.html
* *
* In PolarSSL, the Havege random number generator is used. For details, see * In mbed TLS, the Havege random number generator is used. For details, see
* the PolarSSL documentation. * the mbed TLS documentation.
* *
* @section key_generation_exchange Key exchange: * @section key_generation_exchange Key exchange:
* *

16
doc/openvpn.8
View File

@ -4472,7 +4472,7 @@ datagram replay protection as the IV.
.\"********************************************************* .\"*********************************************************
.TP .TP
.B \-\-use\-prediction\-resistance .B \-\-use\-prediction\-resistance
Enable prediction resistance on PolarSSL's RNG. Enable prediction resistance on mbed TLS's RNG.
Enabling prediction resistance causes the RNG to reseed in each Enabling prediction resistance causes the RNG to reseed in each
call for random. Reseeding this often can quickly deplete the kernel call for random. Reseeding this often can quickly deplete the kernel
@ -4481,8 +4481,6 @@ entropy pool.
If you need this option, please consider running a daemon that adds If you need this option, please consider running a daemon that adds
entropy to the kernel pool. entropy to the kernel pool.
Note that this option only works with PolarSSL versions greater
than 1.1.
.\"********************************************************* .\"*********************************************************
.TP .TP
.B \-\-test\-crypto .B \-\-test\-crypto
@ -4583,7 +4581,7 @@ they are distributed with OpenVPN, they are totally insecure.
.TP .TP
.B \-\-capath dir .B \-\-capath dir
Directory containing trusted certificates (CAs and CRLs). Directory containing trusted certificates (CAs and CRLs).
Not available with PolarSSL. Not available with mbed TLS.
When using the When using the
.B \-\-capath .B \-\-capath
@ -4612,7 +4610,7 @@ Set
.B file=none .B file=none
to disable Diffie Hellman key exchange (and use ECDH only). Note that this to disable Diffie Hellman key exchange (and use ECDH only). Note that this
requires peers to be using an SSL library that supports ECDH TLS cipher suites requires peers to be using an SSL library that supports ECDH TLS cipher suites
(e.g. OpenSSL 1.0.1+, or PolarSSL 1.3+). (e.g. OpenSSL 1.0.1+, or mbed TLS 2.0+).
Use Use
.B openssl dhparam \-out dh2048.pem 2048 .B openssl dhparam \-out dh2048.pem 2048
@ -4717,7 +4715,7 @@ This option can be used instead of
.B \-\-ca, \-\-cert, .B \-\-ca, \-\-cert,
and and
.B \-\-key. .B \-\-key.
Not available with PolarSSL. Not available with mbed TLS.
.\"********************************************************* .\"*********************************************************
.TP .TP
.B \-\-verify\-hash hash [algo] .B \-\-verify\-hash hash [algo]
@ -4900,7 +4898,7 @@ channel, over which the keys that are used to protect the actual VPN traffic
are exchanged. are exchanged.
The supplied list of ciphers is (after potential OpenSSL/IANA name translation) The supplied list of ciphers is (after potential OpenSSL/IANA name translation)
simply supplied to the crypto library. Please see the OpenSSL and/or PolarSSL simply supplied to the crypto library. Please see the OpenSSL and/or mbed TLS
documentation for details on the cipher list interpretation. documentation for details on the cipher list interpretation.
Use Use
@ -4913,8 +4911,8 @@ is an expert feature, which \- if used correcly \- can improve the security of
your VPN connection. But it is also easy to unwittingly use it to carefully your VPN connection. But it is also easy to unwittingly use it to carefully
align a gun with your foot, or just break your connection. Use with care! align a gun with your foot, or just break your connection. Use with care!
The default for \-\-tls\-cipher is to use PolarSSL's default cipher list The default for \-\-tls\-cipher is to use mbed TLS's default cipher list
when using PolarSSL or when using mbed TLS or
"DEFAULT:!EXP:!LOW:!MEDIUM:!kDH:!kECDH:!DSS:!PSK:!SRP:!kRSA" when using "DEFAULT:!EXP:!LOW:!MEDIUM:!kDH:!kECDH:!DSS:!PSK:!SRP:!kRSA" when using
OpenSSL. OpenSSL.
.\"********************************************************* .\"*********************************************************