On Thu, Feb 21, 2019 at 04:47:25PM +0100, Jeremie Courreges-Anglas wrote:
>
> Hi,
>
> openvpn-2.4.7 was released earlier today, with support for TLSv1.3.
> That doesn't change much for us: TLSv1.3 is in the works in LibreSSL,
> and there's no code yet in OpenVPN to support TLSv1.3 with mbedtls.
>
> https://github.com/OpenVPN/openvpn/blob/release/2.4/Changes.rst
> https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24
>
> I thought I'd mention this from the announcement mail:
> --8<--
> Please note that LibreSSL is not a supported crypto backend. We accept
> patches and we do test on OpenBSD 6.0 which comes with LibreSSL, but if
> newer versions of LibreSSL break API compatibility we do not take
> responsibility to fix that.
> -->8--
>
> Given the way past API differences between OpenSSL and LibreSSL have
> been dealt with upstream, the statement doesn't change things for ports
> users anyway. My efforts with upstream have stalled in the past months.
>
> Which leads us to this diff, with some parts force-disabling the TLSv1.3
> code paths introduced upstream. I dislike the OPENSSL_NO_* macros even
> more than the OPENSSL_VERSION_NUMBER checks, but since that's what the
> ecosystem seems to prefer...
>
> Reviews and tests welcome.
While I'm no OpenVPN user, this reads and builds fine and is what we
discussed about a month ago.
ok tb (once you're happy with the number of tests reports or you've
waited long enough)
I noticed that there is one test that is skipped:
make check-TESTS
./t_client.sh: cannot find 't_client.rc' in build dir ('..')
./t_client.sh: or source directory
('/usr/ports/pobj/openvpn-2.4.7/openvpn-2.4.7/tests'). SKIPPING TEST.
SKIP: t_client.sh
but I didn't investigate further.
