Previous versions of the patch had issues with string concatenation
(missing whitespace) - all fixed.  Also, the manpage would claim
auto-activation of the feature, which it didn't -> fixed as well :-)

Testing with manual activation of --force-tls-key-material-export led
to the expected result - 2.6 clients could connect fine, 2.5 and earlier
were refused with a clear message:

  2024-01-03 18:35:45 AUTH: Received control message: AUTH_FAILED,Client 
incompatible with this server. Keying Material Exporters (RFC 5705) support 
missing. Upgrade to a client that supports this feature (OpenVPN 2.6.0+).

and on the server

  2024-01-03 18:37:52 us=455522 
cron2-freebsd-tc-amd64-25/2001:608:0:814::f000:21 peer-id=0 PUSH: client does 
not support TLS key material exportbut --force-tls-key-material-export is 

so, this should help people hitting such a scenario to much better understand
what is happening, and what they can do about it.

For completeness I've tried to test this on a FreeBSD 14 system with
"--providers fips", but failed to set up OpenSSL/FIPS in a way that
actually did anything useful...  so I broke check_tls_prf_working()
manually, and the expected "auto-enable option" part works too.  <<< NAK!

Your patch has been applied to the master and release/2.6 branch (long-
term compat and better diagnostics).

commit 3278524247f07f6d541d29d8ca8d4fafcb623054 (master)
commit 425f7d644876755deff1946c0a3aa16f15af4adb (release/2.6)
Author: Arne Schwabe
Date:   Tue Jan 2 13:51:49 2024 +0100

     Check PRF availability on initialisation and add 

     Signed-off-by: Arne Schwabe <>
     Acked-by: Gert Doering <>
     Message-Id: <>
     Signed-off-by: Gert Doering <>

kind regards,

Gert Doering

Openvpn-devel mailing list

Reply via email to