Attention is currently required from: flichtenheld. Hello flichtenheld,
I'd like you to reexamine a change. Please visit http://gerrit.openvpn.net/c/openvpn/+/456?usp=email to look at the new patch set (#2). Change subject: Extend the error message when TLS 1.0 PRF fails ...................................................................... Extend the error message when TLS 1.0 PRF fails This error will probably become more and more common in the future when more and more system will drop TLS 1.0 PRF support. We are already seeing people stumbling upon this (see GitHub issue #460) The current error messages TLS Error: PRF calcuation failed TLS Error: generate_key_expansion failed are not very helpful for people that do not have deep understanding of TLS or the OpenVPN protocol. Improve a on this message to give a normal user a chance to understand that the peer needs to be OpenVPN 2.6.x or newer. Change-Id: Ib3b64b52beed69dc7740f191b0e9a9dc9af5b7f3 Signed-off-by: Arne Schwabe <a...@rfc2549.org> --- M src/openvpn/ssl.c 1 file changed, 6 insertions(+), 1 deletion(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/56/456/2 diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 400230c..9817b2e 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1641,7 +1641,12 @@ { if (!generate_key_expansion_openvpn_prf(session, &key2)) { - msg(D_TLS_ERRORS, "TLS Error: PRF calcuation failed"); + msg(D_TLS_ERRORS, "TLS Error: PRF calculation failed. Your system " + "might not support the old TLS 1.0 PRF calculation anymore or " + "the policy does not allow TLS1 PRF calculation anymore " + "(e.g. running in FIPS mode). The peer did not announce support " + "for the modern TLS Export feature that replaces the TLS 1.0" + "RPF (requires OpenVPN 2.6.x or higher)"); goto exit; } } -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/456?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ib3b64b52beed69dc7740f191b0e9a9dc9af5b7f3 Gerrit-Change-Number: 456 Gerrit-PatchSet: 2 Gerrit-Owner: plaisthos <arne-open...@rfc2549.org> Gerrit-Reviewer: flichtenheld <fr...@lichtenheld.com> Gerrit-CC: openvpn-devel <openvpn-devel@lists.sourceforge.net> Gerrit-Attention: flichtenheld <fr...@lichtenheld.com> Gerrit-MessageType: newpatchset
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel