We had a bit of discussion on this in the GH issue (964), and it turns
out that it's unclear why this was considered necessary at all, and is
certainly not required with modern mbedTLS 3.x versions, and to the
contrary, quite excessive wrt system random use. mbedTLS 4.x does not
support that, mbedTLS 2.x is no longer supported by us, so out with this.
BB and GHA test various mbedTLS versions, but neither will call
"--use-prediction-resistance", so wrt testing, this is a no-op.
I think we should apply this to release/2.7 as well, since this is sort
of cleanup that only affects a small number of builds, and even there,
it's not turned-on-by-default... you might see a followup e-mail here.
Your patch has been applied to the master branch.
commit 880bd69254a3e0975f4da215367be4ae4ef6053c (master)
Author: Max Fillinger
Date: Mon Feb 16 16:10:27 2026 +0100
Mbed TLS 3: Remove prediction resistance option
Signed-off-by: Max Fillinger <[email protected]>
Acked-by: Frank Lichtenheld <[email protected]>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1530
Message-Id: <[email protected]>
URL:
https://www.mail-archive.com/[email protected]/msg35658.html
Signed-off-by: Gert Doering <[email protected]>
--
kind regards,
Gert Doering
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
