Hello!
I am trying to add TLS 1.3 support to OpenVPN when using Mbed TLS as the TLS library. My current roadblock is that OpenVPN needs the TLS-Exporter functionality (RFC 8446, Section 7.5).
For TLS 1.2, we get the master secret through mbedtls_ssl_set_export_keys_cb() and then implement the exporter using mbedtls_ssl_tls_prf(). For TLS 1.3, an approach like this doesn't work because the callback isn't called with the exporter master secret.
Am I missing anything, or does this feature not yet exist? Are there any plans to add it? If not, I'd be interested in trying to make a patch.
Best regards, Max
Hello, thank you for your interest in Mbed TLS. I don't think you are missing much. We seem to have some support for the callback set though mbedtls_ssl_set_export_keys_cb() (see `ssl->f_export_keys()` calls in ssl_tls13_keys.c) but at least only partial. I have found one issue related to that: issue #6682. We have not planned to work on it yet. We would be very interested in having a patch adding support for section 7.5 of RFC 8446.
Thanks, Ronald Cron.
-----Original Message----- From: Maximilian Fillinger via mbed-tls mbed-tls@lists.trustedfirmware.org Sent: Tuesday, July 16, 2024 5:45 PM To: mbed-tls@lists.trustedfirmware.org Subject: [mbed-tls] TLS-Exporter in TLS 1.3
Hello!
I am trying to add TLS 1.3 support to OpenVPN when using Mbed TLS as the TLS library. My current roadblock is that OpenVPN needs the TLS-Exporter functionality (RFC 8446, Section 7.5).
For TLS 1.2, we get the master secret through mbedtls_ssl_set_export_keys_cb() and then implement the exporter using mbedtls_ssl_tls_prf(). For TLS 1.3, an approach like this doesn't work because the callback isn't called with the exporter master secret.
Am I missing anything, or does this feature not yet exist? Are there any plans to add it? If not, I'd be interested in trying to make a patch.
Best regards, Max
mbed-tls@lists.trustedfirmware.org
-
Maximilian Fillinger -
Ronald Cron