On Thu, Feb 21 2019, Theo Buehler <[email protected]> wrote:
> On Thu, Feb 21, 2019 at 04:47:25PM +0100, Jeremie Courreges-Anglas wrote:
>>
>> Hi,
>>
>> openvpn-2.4.7 was released earlier today, with support for TLSv1.3.
>> That doesn't change much for us: TLSv1.3 is in the works in LibreSSL,
>> and there's no code yet in OpenVPN to support TLSv1.3 with mbedtls.
>>
>> https://github.com/OpenVPN/openvpn/blob/release/2.4/Changes.rst
>> https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24
>>
>> I thought I'd mention this from the announcement mail:
>> --8<--
>> Please note that LibreSSL is not a supported crypto backend. We accept
>> patches and we do test on OpenBSD 6.0 which comes with LibreSSL, but if
>> newer versions of LibreSSL break API compatibility we do not take
>> responsibility to fix that.
>> -->8--
>>
>> Given the way past API differences between OpenSSL and LibreSSL have
>> been dealt with upstream, the statement doesn't change things for ports
>> users anyway. My efforts with upstream have stalled in the past months.
>>
>> Which leads us to this diff, with some parts force-disabling the TLSv1.3
>> code paths introduced upstream. I dislike the OPENSSL_NO_* macros even
>> more than the OPENSSL_VERSION_NUMBER checks, but since that's what the
>> ecosystem seems to prefer...
>>
>> Reviews and tests welcome.
>
> While I'm no OpenVPN user, this reads and builds fine and is what we
> discussed about a month ago.
>
> ok tb (once you're happy with the number of tests reports or you've
> waited long enough)
Committed, thank you for the review.
> I noticed that there is one test that is skipped:
>
> make check-TESTS
> ./t_client.sh: cannot find 't_client.rc' in build dir ('..')
> ./t_client.sh: or source directory
> ('/usr/ports/pobj/openvpn-2.4.7/openvpn-2.4.7/tests'). SKIPPING TEST.
> SKIP: t_client.sh
>
> but I didn't investigate further.
This is is expected, it already happened with previous versions.
--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
