diff --git a/INSTALL b/INSTALL index 97070604695..3a31e6f16c0 100644 --- a/INSTALL +++ b/INSTALL @@ -75,8 +75,8 @@ REQUIRES: OPTIONAL (but recommended): (1) OpenSSL library, necessary for encryption, version 0.9.8 or higher required, available from http://www.openssl.org/ - (2) PolarSSL library, an alternative for encryption, version 1.1 or higher - required, available from https://polarssl.org/ + (2) mbed TLS library, an alternative for encryption, version 2.0 or higher + required, available from https://tls.mbed.org/ (3) LZO real-time compression library, required for link compression, available from http://www.oberhumer.com/opensource/lzo/ OpenBSD users can use ports or packages to install lzo, but remember diff --git a/Makefile.am b/Makefile.am index 87da1825971..87af7241db7 100644 --- a/Makefile.am +++ b/Makefile.am @@ -58,7 +58,7 @@ SUBDIRS = build distro include src sample doc vendor tests dist_doc_DATA = \ README \ README.IPv6 \ - README.polarssl \ + README.mbedtls \ Changes.rst \ COPYRIGHT.GPL \ COPYING @@ -68,7 +68,7 @@ dist_noinst_DATA = \ .gitattributes \ PORTS \ README.IPv6 TODO.IPv6 \ - README.polarssl \ + README.mbedtls \ openvpn.sln \ msvc-env.bat \ msvc-dev.bat \ diff --git a/README.polarssl b/README.mbedtls similarity index 65% rename from README.polarssl rename to README.mbedtls index 6f1fa51adcf..4875822da47 100644 --- a/README.polarssl +++ b/README.mbedtls @@ -1,18 +1,18 @@ -This version of OpenVPN has PolarSSL support. To enable follow the following +This version of OpenVPN has mbed TLS support. To enable follow the following instructions: To Build and Install, - ./configure --with-crypto-library=polarssl + ./configure --with-crypto-library=mbedtls make make install -This version depends on PolarSSL 1.3 (and requires at least 1.3.3). +This version depends on mbed TLS 2.0 (and requires at least 2.0.0). ************************************************************************* -Due to limitations in the PolarSSL library, the following features are missing -in the PolarSSL version of OpenVPN: +Due to limitations in the mbed TLS library, the following features are missing +in the mbed TLS version of OpenVPN: * PKCS#12 file support * --capath support - Loading certificate authorities from a directory diff --git a/doc/doxygen/doc_data_crypto.h b/doc/doxygen/doc_data_crypto.h index 925fcd52db1..c2b1866cb15 100644 --- a/doc/doxygen/doc_data_crypto.h +++ b/doc/doxygen/doc_data_crypto.h @@ -68,5 +68,5 @@ * * @par Crypto algorithms * This module uses the crypto algorithm implementations of the external - * crypto library (currently either OpenSSL (default), or PolarSSL). + * crypto library (currently either OpenSSL (default), or mbed TLS). */ diff --git a/doc/doxygen/doc_key_generation.h b/doc/doxygen/doc_key_generation.h index 4b225e09988..4109ac5df37 100644 --- a/doc/doxygen/doc_key_generation.h +++ b/doc/doxygen/doc_key_generation.h @@ -78,7 +78,7 @@ * * @subsection key_generation_random Source of random material * - * OpenVPN uses the either the OpenSSL library or the PolarSSL library as its + * OpenVPN uses the either the OpenSSL library or the mbed TLS library as its * source of random material. * * In OpenSSL, the \c RAND_bytes() function is called @@ -91,8 +91,8 @@ * - For OpenSSL's support for external crypto modules: * http://www.openssl.org/docs/crypto/engine.html * - * In PolarSSL, the Havege random number generator is used. For details, see - * the PolarSSL documentation. + * In mbed TLS, the Havege random number generator is used. For details, see + * the mbed TLS documentation. * * @section key_generation_exchange Key exchange: * diff --git a/doc/openvpn.8 b/doc/openvpn.8 index a9223f1238f..a4189ac2828 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -4472,7 +4472,7 @@ datagram replay protection as the IV. .\"********************************************************* .TP .B \-\-use\-prediction\-resistance -Enable prediction resistance on PolarSSL's RNG. +Enable prediction resistance on mbed TLS's RNG. Enabling prediction resistance causes the RNG to reseed in each call for random. Reseeding this often can quickly deplete the kernel @@ -4481,8 +4481,6 @@ entropy pool. If you need this option, please consider running a daemon that adds entropy to the kernel pool. -Note that this option only works with PolarSSL versions greater -than 1.1. .\"********************************************************* .TP .B \-\-test\-crypto @@ -4583,7 +4581,7 @@ they are distributed with OpenVPN, they are totally insecure. .TP .B \-\-capath dir Directory containing trusted certificates (CAs and CRLs). -Not available with PolarSSL. +Not available with mbed TLS. When using the .B \-\-capath @@ -4612,7 +4610,7 @@ Set .B file=none to disable Diffie Hellman key exchange (and use ECDH only). Note that this requires peers to be using an SSL library that supports ECDH TLS cipher suites -(e.g. OpenSSL 1.0.1+, or PolarSSL 1.3+). +(e.g. OpenSSL 1.0.1+, or mbed TLS 2.0+). Use .B openssl dhparam \-out dh2048.pem 2048 @@ -4717,7 +4715,7 @@ This option can be used instead of .B \-\-ca, \-\-cert, and .B \-\-key. -Not available with PolarSSL. +Not available with mbed TLS. .\"********************************************************* .TP .B \-\-verify\-hash hash [algo] @@ -4900,7 +4898,7 @@ channel, over which the keys that are used to protect the actual VPN traffic are exchanged. The supplied list of ciphers is (after potential OpenSSL/IANA name translation) -simply supplied to the crypto library. Please see the OpenSSL and/or PolarSSL +simply supplied to the crypto library. Please see the OpenSSL and/or mbed TLS documentation for details on the cipher list interpretation. Use @@ -4913,8 +4911,8 @@ is an expert feature, which \- if used correcly \- can improve the security of your VPN connection. But it is also easy to unwittingly use it to carefully align a gun with your foot, or just break your connection. Use with care! -The default for \-\-tls\-cipher is to use PolarSSL's default cipher list -when using PolarSSL or +The default for \-\-tls\-cipher is to use mbed TLS's default cipher list +when using mbed TLS or "DEFAULT:!EXP:!LOW:!MEDIUM:!kDH:!kECDH:!DSS:!PSK:!SRP:!kRSA" when using OpenSSL. .\"*********************************************************