[thirdparty/openvpn.git] / README.mbedtls

This version of OpenVPN has mbed TLS support. To enable, follow the
instructions below:

To build and install,

	./configure --with-crypto-library=mbedtls
	make
	make install

This version requires mbed TLS version >= 2.0.0 or >= 3.2.1.

*************************************************************************

Warning:

As of mbed TLS 2.17, it can be licensed *only* under the Apache v2.0 license.
That license is incompatible with OpenVPN's GPLv2.

We are currently in the process of resolving this problem, but for now, if you
wish to distribute OpenVPN linked with mbed TLS, there are two options:

 * Ensure that your case falls under the system library exception in GPLv2, or

 * Use an earlier version of mbed TLS. Version 2.16.12 is the last release
   that may be licensed under GPLv2. Unfortunately, this version is
   unsupported and won't receive any more updates.

*************************************************************************

Due to limitations in the mbed TLS library, the following features are missing
in the mbed TLS version of OpenVPN:

 * PKCS#12 file support
 * --capath support - Loading certificate authorities from a directory
 * Windows CryptoAPI support
 * X.509 alternative username fields (must be "CN")

Plugin/Script features:

 * X.509 subject line has a different format than the OpenSSL subject line
 * X.509 certificate tracking

*************************************************************************

Mbed TLS 3 has implemented (parts of) the TLS 1.3 protocol, but we have disabled
support in OpenVPN because the TLS-Exporter function is not yet implemented.
Commit	Line	Data
f53f0631 MF	1	This version of OpenVPN has mbed TLS support. To enable, follow the
f53f0631 MF	2	instructions below:
53f97e1e	3
f53f0631	4	To build and install,
53f97e1e	5
ed0e7993	6	./configure --with-crypto-library=mbedtls
53f97e1e AJ	7	make
	8	make install
	9
f53f0631	10	This version requires mbed TLS version >= 2.0.0 or >= 3.2.1.
7dd8bbf5	11
53f97e1e AJ	12	*************************************************************************
53f97e1e AJ	13
110eee02 MF	14	Warning:
	15
	16	As of mbed TLS 2.17, it can be licensed only under the Apache v2.0 license.
	17	That license is incompatible with OpenVPN's GPLv2.
	18
f53f0631 MF	19	We are currently in the process of resolving this problem, but for now, if you
f53f0631 MF	20	wish to distribute OpenVPN linked with mbed TLS, there are two options:
110eee02 MF	21
	22	* Ensure that your case falls under the system library exception in GPLv2, or
	23
	24	* Use an earlier version of mbed TLS. Version 2.16.12 is the last release
	25	that may be licensed under GPLv2. Unfortunately, this version is
	26	unsupported and won't receive any more updates.
	27
110eee02 MF	28	*************************************************************************
110eee02 MF	29
ed0e7993 DS	30	Due to limitations in the mbed TLS library, the following features are missing
ed0e7993 DS	31	in the mbed TLS version of OpenVPN:
53f97e1e	32
53f97e1e	33	* PKCS#12 file support
7dd8bbf5	34	* --capath support - Loading certificate authorities from a directory
53f97e1e	35	* Windows CryptoAPI support
7dd8bbf5 AJ	36	* X.509 alternative username fields (must be "CN")
	37
	38	Plugin/Script features:
53f97e1e	39
7dd8bbf5	40	* X.509 subject line has a different format than the OpenSSL subject line
7dd8bbf5	41	* X.509 certificate tracking
f53f0631 MF	42
	43	*************************************************************************
	44
efad93d0 MF	45	Mbed TLS 3 has implemented (parts of) the TLS 1.3 protocol, but we have disabled
efad93d0 MF	46	support in OpenVPN because the TLS-Exporter function is not yet implemented.