Skip to content

Commit

Permalink
Extend the error message when TLS 1.0 PRF fails
Browse files Browse the repository at this point in the history
This error will probably become more and more common in the future when
more and more systems will drop TLS 1.0 PRF support. We are already
seeing people stumbling upon this (see GitHub issue #460)

The current error messages

  TLS Error: PRF calcuation failed
  TLS Error: generate_key_expansion failed

are not very helpful for people that do not have deep understanding
of TLS or the OpenVPN protocol. Improve this message to give a normal
user a chance to understand that the peer needs to be OpenVPN 2.6.x or
newer.

Change-Id: Ib3b64b52beed69dc7740f191b0e9a9dc9af5b7f3
Signed-off-by: Arne Schwabe <[email protected]>
Acked-by: Frank Lichtenheld <[email protected]>
Message-Id: <[email protected]>
URL: https://www.mail-archive.com/[email protected]/msg27796.html
Signed-off-by: Gert Doering <[email protected]>
(cherry picked from commit 6ff8161)
  • Loading branch information
schwabe authored and cron2 committed Dec 26, 2023
1 parent 030afe6 commit cfaf82d
Showing 1 changed file with 6 additions and 1 deletion.
7 changes: 6 additions & 1 deletion src/openvpn/ssl.c
Original file line number Diff line number Diff line change
Expand Up @@ -1644,7 +1644,12 @@ generate_key_expansion(struct tls_multi *multi, struct key_state *ks,
{
if (!generate_key_expansion_openvpn_prf(session, &key2))
{
msg(D_TLS_ERRORS, "TLS Error: PRF calcuation failed");
msg(D_TLS_ERRORS, "TLS Error: PRF calculation failed. Your system "
"might not support the old TLS 1.0 PRF calculation anymore or "
"the policy does not allow it (e.g. running in FIPS mode). "
"The peer did not announce support for the modern TLS Export "
"feature that replaces the TLS 1.0 PRF (requires OpenVPN "
"2.6.x or higher)");
goto exit;
}
}
Expand Down

0 comments on commit cfaf82d

Please sign in to comment.