cron2 has uploaded a new patch set (#9) to the change originally created by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/456?usp=email )
The following approvals got outdated and were removed: Code-Review+2 by flichtenheld Change subject: Extend the error message when TLS 1.0 PRF fails ...................................................................... Extend the error message when TLS 1.0 PRF fails This error will probably become more and more common in the future when more and more systems will drop TLS 1.0 PRF support. We are already seeing people stumbling upon this (see GitHub issue #460) The current error messages TLS Error: PRF calcuation failed TLS Error: generate_key_expansion failed are not very helpful for people that do not have deep understanding of TLS or the OpenVPN protocol. Improve this message to give a normal user a chance to understand that the peer needs to be OpenVPN 2.6.x or newer. Change-Id: Ib3b64b52beed69dc7740f191b0e9a9dc9af5b7f3 Signed-off-by: Arne Schwabe <a...@rfc2549.org> Acked-by: Frank Lichtenheld <fr...@lichtenheld.com> Message-Id: <20231213105308.121460-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27796.html Signed-off-by: Gert Doering <g...@greenie.muc.de> --- M src/openvpn/ssl.c 1 file changed, 6 insertions(+), 1 deletion(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/56/456/9 diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 6eddb68..7597412 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1477,7 +1477,12 @@ { if (!generate_key_expansion_openvpn_prf(session, &key2)) { - msg(D_TLS_ERRORS, "TLS Error: PRF calcuation failed"); + msg(D_TLS_ERRORS, "TLS Error: PRF calculation failed. Your system " + "might not support the old TLS 1.0 PRF calculation anymore or " + "the policy does not allow it (e.g. running in FIPS mode). " + "The peer did not announce support for the modern TLS Export " + "feature that replaces the TLS 1.0 PRF (requires OpenVPN " + "2.6.x or higher)"); goto exit; } } -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/456?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ib3b64b52beed69dc7740f191b0e9a9dc9af5b7f3 Gerrit-Change-Number: 456 Gerrit-PatchSet: 9 Gerrit-Owner: plaisthos <arne-open...@rfc2549.org> Gerrit-Reviewer: flichtenheld <fr...@lichtenheld.com> Gerrit-CC: openvpn-devel <openvpn-devel@lists.sourceforge.net> Gerrit-MessageType: newpatchset
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
