openvpn3 MbedTLS version updates

Hello, is there a plan for upgrading/supporting newer MbedTLS version(s)?

I see there was recently a commit (https://github.com/OpenVPN/openvpn3/commit/a219ce0303ca2676512fb0c0083f3546b32d7153) to update to the latest bug-fix point release of the MbedTLS 2.7 branch version. However, I also see that the MbedTLS does not support that branch anymore (from https://github.com/ARMmbed/mbedtls/blob/development/BRANCHES.md#maintained-branches):

We retain a number of historical branches, whose names are prefixed by archive/, such as archive/mbedtls-2.7. These branches will not receive any changes or updates.

The latest version is v3 (released first on July 6, 2021), which is a major version bump, so there are backwards-incompatible changes with v2, but a migration documention is provided to support the upgrade.

Furthermore, there is another v2 branch that is actively maintained and supported (from the BRANCHES.md doc again):

One or more long-time support (LTS) branches: these only get bug fixes and security fixes. Currently, the only supported LTS branch is: mbedtls-2.28.

Ideally, support for both an LTS v2 and the latest (v3) MbedTLS would be the most flexible for packaging/distributing this project, but I understand that could be a lot of work and require extra testing to ensure correct operation for both versions.

Feb 21 '22 17:02 ekilmer

Currently we not aware of any software using the mbed TLS support in OpenVPN3. So currently it feels like we are maintaining it just "for fun" and it gets little testing aswell. With it not being used by ourselves and also no known third party app that is using it, the motivation and interest in maintaining it is not really there anymore. We will gladly take contributions in maintaining it.

Feb 21 '22 19:02 schwabe

F:\vcpkg\buildtrees\openvpn3\src\lease_-3.7-e7c0214013.clean\openvpn/mbedtls/crypto/cipher.hpp(126): error C2039: 'key_bitlen': is not a member of 'mbedtls_cipher_info_t'
F:\vcpkg\installed\x86-windows\include\mbedtls/cipher.h(279): note: see declaration of 'mbedtls_cipher_info_t'
F:\vcpkg\buildtrees\openvpn3\src\lease_-3.7-e7c0214013.clean\openvpn/mbedtls/crypto/cipher.hpp(126): error C2660: 'mbedtls_cipher_setkey': function does not take 3 arguments
F:\vcpkg\installed\x86-windows\include\mbedtls/cipher.h(820): note: see declaration of 'mbedtls_cipher_setkey'
F:\vcpkg\buildtrees\openvpn3\src\lease_-3.7-e7c0214013.clean\openvpn/mbedtls/crypto/cipher.hpp(208): error C2065: 'MBEDTLS_CIPHER_BLOWFISH_CBC': undeclared identifier
F:\vcpkg\buildtrees\openvpn3\src\lease_-3.7-e7c0214013.clean\openvpn/mbedtls/crypto/cipheraead.hpp(106): error C3861: 'mbedtls_cipher_auth_encrypt': identifier not found
F:\vcpkg\buildtrees\openvpn3\src\lease_-3.7-e7c0214013.clean\openvpn/mbedtls/crypto/cipheraead.hpp(125): error C3861: 'mbedtls_cipher_auth_encrypt': identifier not found
F:\vcpkg\buildtrees\openvpn3\src\lease_-3.7-e7c0214013.clean\openvpn/mbedtls/crypto/digest.hpp(72): error C2039: 'md_ctx': is not a member of 'mbedtls_md_context_t'
F:\vcpkg\installed\x86-windows\include\mbedtls/md.h(93): note: see declaration of 'mbedtls_md_context_t'
F:\vcpkg\buildtrees\openvpn3\src\lease_-3.7-e7c0214013.clean\openvpn/mbedtls/crypto/digest.hpp(111): error C2065: 'MBEDTLS_MD_MD4': undeclared identifier
F:\vcpkg\buildtrees\openvpn3\src\lease_-3.7-e7c0214013.clean\openvpn/mbedtls/crypto/digest.hpp(140): error C2039: 'md_info': is not a member of 'mbedtls_md_context_t'
F:\vcpkg\installed\x86-windows\include\mbedtls/md.h(93): note: see declaration of 'mbedtls_md_context_t'
F:\vcpkg\buildtrees\openvpn3\src\lease_-3.7-e7c0214013.clean\openvpn/mbedtls/crypto/hmac.hpp(65): error C2039: 'md_ctx': is not a member of 'mbedtls_md_context_t'
F:\vcpkg\installed\x86-windows\include\mbedtls/md.h(93): note: see declaration of 'mbedtls_md_context_t'
F:\vcpkg\buildtrees\openvpn3\src\lease_-3.7-e7c0214013.clean\openvpn/mbedtls/crypto/hmac.hpp(117): error C2039: 'md_info': is not a member of 'mbedtls_md_context_t'
F:\vcpkg\installed\x86-windows\include\mbedtls/md.h(93): note: see declaration of 'mbedtls_md_context_t'
F:\vcpkg\buildtrees\openvpn3\src\lease_-3.7-e7c0214013.clean\openvpn/mbedtls/util/error.hpp(83): error C2065: 'MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION': undeclared identifier
F:\vcpkg\buildtrees\openvpn3\src\lease_-3.7-e7c0214013.clean\openvpn/mbedtls/util/error.hpp(83): error C2051: case expression not constant
F:\vcpkg\buildtrees\openvpn3\src\lease_-3.7-e7c0214013.clean\openvpn/mbedtls/pki/pkctx.hpp(96): error C2660: 'mbedtls_pk_parse_key': function does not take 5 arguments
F:\vcpkg\installed\x86-windows\include\mbedtls/pk.h(793): note: see declaration of 'mbedtls_pk_parse_key'
F:\vcpkg\buildtrees\openvpn3\src\lease_-3.7-e7c0214013.clean\openvpn/mbedtls/pki/pkctx.hpp(96): error C2789: 'status': an object of const-qualified type must be initialized
F:\vcpkg\buildtrees\openvpn3\src\lease_-3.7-e7c0214013.clean\openvpn/mbedtls/pki/pkctx.hpp(96): note: see declaration of 'status'
F:\vcpkg\buildtrees\openvpn3\src\lease_-3.7-e7c0214013.clean\openvpn/mbedtls/ssl/sslctx.hpp(99): error C2065: 'MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA': undeclared identifier
F:\vcpkg\buildtrees\openvpn3\src\lease_-3.7-e7c0214013.clean\openvpn/mbedtls/ssl/sslctx.hpp(100): error C2065: 'MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA': undeclared identifier
F:\vcpkg\buildtrees\openvpn3\src\lease_-3.7-e7c0214013.clean\openvpn/mbedtls/ssl/sslctx.hpp(102): error C2065: 'MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA': undeclared identifier
F:\vcpkg\buildtrees\openvpn3\src\lease_-3.7-e7c0214013.clean\openvpn/mbedtls/ssl/sslctx.hpp(129): error C2065: 'MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA': undeclared identifier
F:\vcpkg\buildtrees\openvpn3\src\lease_-3.7-e7c0214013.clean\openvpn/mbedtls/ssl/sslctx.hpp(130): error C2065: 'MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA': undeclared identifier
F:\vcpkg\buildtrees\openvpn3\src\lease_-3.7-e7c0214013.clean\openvpn/mbedtls/ssl/sslctx.hpp(132): error C2065: 'MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA': undeclared identifier
F:\vcpkg\buildtrees\openvpn3\src\lease_-3.7-e7c0214013.clean\openvpn/mbedtls/ssl/sslctx.hpp(817): error C2065: 'MBEDTLS_SSL_MINOR_VERSION_1': undeclared identifier
F:\vcpkg\buildtrees\openvpn3\src\lease_-3.7-e7c0214013.clean\openvpn/mbedtls/ssl/sslctx.hpp(907): error C2664: 'void openvpn::MbedTLSPKI::PKContext::epki_enable(void *,mbedtls_pk_rsa_alt_decrypt_func,mbedtls_pk_rsa_alt_sign_func,mbedtls_pk_rsa_alt_key_len_func)': cannot convert argument 2 from 'int (__cdecl *)(void *,int,size_t *,const unsigned char *,unsigned char *,size_t)' to 'mbedtls_pk_rsa_alt_decrypt_func'
F:\vcpkg\buildtrees\openvpn3\src\lease_-3.7-e7c0214013.clean\openvpn/mbedtls/ssl/sslctx.hpp(907): note: None of the functions with this name in scope match the target type
F:\vcpkg\buildtrees\openvpn3\src\lease_-3.7-e7c0214013.clean\openvpn/mbedtls/ssl/sslctx.hpp(1194): error C2039: 'ns_cert_type': is not a member of 'mbedtls_x509_crt'
F:\vcpkg\installed\x86-windows\include\mbedtls/x509_crt.h(53): note: see declaration of 'mbedtls_x509_crt'
F:\vcpkg\buildtrees\openvpn3\src\lease_-3.7-e7c0214013.clean\openvpn/mbedtls/ssl/sslctx.hpp(1196): error C2039: 'ns_cert_type': is not a member of 'mbedtls_x509_crt'
F:\vcpkg\installed\x86-windows\include\mbedtls/x509_crt.h(53): note: see declaration of 'mbedtls_x509_crt'
F:\vcpkg\buildtrees\openvpn3\src\lease_-3.7-e7c0214013.clean\openvpn/mbedtls/ssl/sslctx.hpp(1210): error C2039: 'ext_types': is not a member of 'mbedtls_x509_crt'
F:\vcpkg\installed\x86-windows\include\mbedtls/x509_crt.h(53): note: see declaration of 'mbedtls_x509_crt'
F:\vcpkg\buildtrees\openvpn3\src\lease_-3.7-e7c0214013.clean\openvpn/mbedtls/ssl/sslctx.hpp(1212): error C2039: 'key_usage': is not a member of 'mbedtls_x509_crt'
F:\vcpkg\installed\x86-windows\include\mbedtls/x509_crt.h(53): note: see declaration of 'mbedtls_x509_crt'
F:\vcpkg\buildtrees\openvpn3\src\lease_-3.7-e7c0214013.clean\openvpn/mbedtls/ssl/sslctx.hpp(1212): error C2789: 'ku': an object of const-qualified type must be initialized
F:\vcpkg\buildtrees\openvpn3\src\lease_-3.7-e7c0214013.clean\openvpn/mbedtls/ssl/sslctx.hpp(1212): note: see declaration of 'ku'
F:\vcpkg\buildtrees\openvpn3\src\lease_-3.7-e7c0214013.clean\openvpn/mbedtls/ssl/sslctx.hpp(1231): error C2039: 'ext_types': is not a member of 'mbedtls_x509_crt'
F:\vcpkg\installed\x86-windows\include\mbedtls/x509_crt.h(53): note: see declaration of 'mbedtls_x509_crt'
F:\vcpkg\buildtrees\openvpn3\src\lease_-3.7-e7c0214013.clean\openvpn/mbedtls/ssl/sslctx.hpp(1284): error C2039: 'sig_md': is not a member of 'mbedtls_x509_crt'
F:\vcpkg\installed\x86-windows\include\mbedtls/x509_crt.h(53): note: see declaration of 'mbedtls_x509_crt'
F:\vcpkg\buildtrees\openvpn3\src\lease_-3.7-e7c0214013.clean\openvpn/mbedtls/ssl/sslctx.hpp(1289): error C2039: 'sig_md': is not a member of 'mbedtls_x509_crt'
F:\vcpkg\installed\x86-windows\include\mbedtls/x509_crt.h(53): note: see declaration of 'mbedtls_x509_crt'
F:\vcpkg\buildtrees\openvpn3\src\lease_-3.7-e7c0214013.clean\openvpn/mbedtls/ssl/sslctx.hpp(1385): error C3861: 'mbedtls_sha1_ret': identifier not found
F:\vcpkg\buildtrees\openvpn3\src\lease_-3.7-e7c0214013.clean\openvpn/mbedtls/ssl/sslctx.hpp(1476): error C2065: 'MBEDTLS_RSA_PRIVATE': undeclared identifier
F:\vcpkg\buildtrees\openvpn3\src\lease_-3.7-e7c0214013.clean\openvpn/mbedtls/ssl/sslctx.hpp(1485): error C2065: 'MBEDTLS_MD_MD2': undeclared identifier
F:\vcpkg\buildtrees\openvpn3\src\lease_-3.7-e7c0214013.clean\openvpn/mbedtls/util/rand.hpp(30): fatal error C1083: Cannot open include file: 'mbedtls/entropy_poll.h': No such file or directory
ninja: build stopped: subcommand failed.

Some public class members are converted to private in mbedtls 3.x.

Aug 04 '22 06:08 JackBoosY

mbed TLS 3.0 support should be provided via this commit https://github.com/OpenVPN/openvpn3/commit/c1bcf78d2e6f6e394ff9d3f961dad69b777a6cea

Mar 20 '24 09:03 dsommers