openvpn/README.wolfssl

Support for wolfSSL is implemented and maintained by wolfSSL Inc. The support is
implemented using wolfSSL's compatibility layer. The wolfSSL support in OpenVPN
receives very limited testing/support from the OpenVPN community itself.

If bugs in OpenVPN when using wolfSSL are encountered, the user should try to
also compile OpenVPN with OpenSSL to determine if these are bugs in the
wolfSSL TLS implementation or OpenVPN itself. If bugs are caused by compiling
with wolfSSL, please contact support@wolfssl.com directly.

To Build and Install,

	./configure --with-crypto-library=wolfssl
	make
	make install


The wolfSSL library will include the installed options.h file by default.
To include a custom user_settings.h file for wolfSSL,

./configure --with-crypto-library=wolfssl --disable-wolfssl-options-h
make
make install

*************************************************************************
Due to limitations in the wolfSSL TLS library or its compatibility layer, the
following features are missing

 * blowfish support (BF-CBC), you must use something like
   cipher AES-128-CBC to avoid trying to use BF-CBC
 * Windows CryptoAPI support
 * No TLS1.0 PRF support (No compaitbility with OpenVPN 2.5 or older or
   other build that do not support TLS EKM)


*************************************************************************
Newer wolfSSL versions (5.8.2 and newer) are GPLv3 licensed and this license is not
compatible with OpenVPN's GPLv2 license.

However wolfSSL Inc has granted an exception to combine the wolfSSL library
with OpenVPN and OpenVPN-NL (https://github.com/wolfSSL/wolfssl/blob/master/LICENSING)
with version 5.8.4 and later.
*************************************************************************
To build WolfSSL with post-quantum KEMs built in, the following command is used:

./configure --enable-openvpn --enable-kyber=all --enable-curve25519

WolfSSL supports the following post-quantum KEMs and post-quantum hybrid KEMs which must be specified
using the tls-groups option in an OpenVPN config. Unlike OpenSSL, which includes X25519MLKEM768
in the default config, WolfSSL requires explicit configuration of tls-groups to include
at least one post-quantum KEM.

ML_KEM_512
ML_KEM_768
ML_KEM_1024

P256_ML_KEM_512
X25519_ML_KEM_512

P384_ML_KEM_768
P256_ML_KEM_768
X448_ML_KEM_768
X25519_ML_KEM_768

P384_ML_KEM_1024
P521_ML_KEM_1024

The naming conventions of algorithms differ between WolfSSL and OpenSSL. An example is that
OpenSSL omits underscores for their naming notation whereas WolfSSL expects them. Additionally,
OpenSSL does not accept the P curve notation and instead uses the equivalent secp notation.
A specific example is that WolfSSL expects P384_ML_KEM_1024, while OpenSSL expects secp384r1MLKEM1024.
README.wolfssl Update Updates for the wolfSSL README file: - fix typos - correct wolfSSL company spelling - add a point of contact for users having problems using OpenVPN + wolfSSL Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20210319134322.131905-1-juliusz@wolfssl.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21722.html Signed-off-by: Gert Doering <gert@greenie.muc.de> 2021-03-19 09:43:22 -04:00			`Support for wolfSSL is implemented and maintained by wolfSSL Inc. The support is`
			`implemented using wolfSSL's compatibility layer. The wolfSSL support in OpenVPN`
Add README.wolfssl documentating the state of WolfSSL in OpenVPN Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20200417074345.5694-1-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19758.html Signed-off-by: Gert Doering <gert@greenie.muc.de> 2020-04-17 03:43:45 -04:00			`receives very limited testing/support from the OpenVPN community itself.`

README.wolfssl Update Updates for the wolfSSL README file: - fix typos - correct wolfSSL company spelling - add a point of contact for users having problems using OpenVPN + wolfSSL Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20210319134322.131905-1-juliusz@wolfssl.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21722.html Signed-off-by: Gert Doering <gert@greenie.muc.de> 2021-03-19 09:43:22 -04:00			`If bugs in OpenVPN when using wolfSSL are encountered, the user should try to`
			`also compile OpenVPN with OpenSSL to determine if these are bugs in the`
			`wolfSSL TLS implementation or OpenVPN itself. If bugs are caused by compiling`
			`with wolfSSL, please contact support@wolfssl.com directly.`
Add README.wolfssl documentating the state of WolfSSL in OpenVPN Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20200417074345.5694-1-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19758.html Signed-off-by: Gert Doering <gert@greenie.muc.de> 2020-04-17 03:43:45 -04:00
			`To Build and Install,`

			`./configure --with-crypto-library=wolfssl`
			`make`
			`make install`


			`The wolfSSL library will include the installed options.h file by default.`
			`To include a custom user_settings.h file for wolfSSL,`

			`./configure --with-crypto-library=wolfssl --disable-wolfssl-options-h`
			`make`
			`make install`

			`*************************************************************************`
README.wolfssl Update Updates for the wolfSSL README file: - fix typos - correct wolfSSL company spelling - add a point of contact for users having problems using OpenVPN + wolfSSL Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20210319134322.131905-1-juliusz@wolfssl.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21722.html Signed-off-by: Gert Doering <gert@greenie.muc.de> 2021-03-19 09:43:22 -04:00			`Due to limitations in the wolfSSL TLS library or its compatibility layer, the`
Add README.wolfssl documentating the state of WolfSSL in OpenVPN Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20200417074345.5694-1-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19758.html Signed-off-by: Gert Doering <gert@greenie.muc.de> 2020-04-17 03:43:45 -04:00			`following features are missing`

			`* blowfish support (BF-CBC), you must use something like`
			`cipher AES-128-CBC to avoid trying to use BF-CBC`
			`* Windows CryptoAPI support`
Add a section about wolfSSL GPLv3 and point out missing TLS PRF support Change-Id: I4f9a6baf2bdb45e5b79bf13c9f6fce3b7a2e982c Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1416 Message-Id: <20251204124221.15206-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34840.html Signed-off-by: Gert Doering <gert@greenie.muc.de> 2025-12-04 07:42:16 -05:00			`* No TLS1.0 PRF support (No compaitbility with OpenVPN 2.5 or older or`
			`other build that do not support TLS EKM)`
Added PQE to WolfSSL Change-Id: Ie0529c2074964b3be034f01e0ef53090a6edbd35 Signed-off-by: comododragon <rein.vanbaaren@fox-it.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Message-Id: <20250707133447.12404-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32043.html Signed-off-by: Gert Doering <gert@greenie.muc.de> 2025-07-07 09:34:39 -04:00
Add a section about wolfSSL GPLv3 and point out missing TLS PRF support Change-Id: I4f9a6baf2bdb45e5b79bf13c9f6fce3b7a2e982c Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1416 Message-Id: <20251204124221.15206-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34840.html Signed-off-by: Gert Doering <gert@greenie.muc.de> 2025-12-04 07:42:16 -05:00
			`*************************************************************************`
			`Newer wolfSSL versions (5.8.2 and newer) are GPLv3 licensed and this license is not`
			`compatible with OpenVPN's GPLv2 license.`

			`However wolfSSL Inc has granted an exception to combine the wolfSSL library`
			`with OpenVPN and OpenVPN-NL (https://github.com/wolfSSL/wolfssl/blob/master/LICENSING)`
			`with version 5.8.4 and later.`
Added PQE to WolfSSL Change-Id: Ie0529c2074964b3be034f01e0ef53090a6edbd35 Signed-off-by: comododragon <rein.vanbaaren@fox-it.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Message-Id: <20250707133447.12404-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32043.html Signed-off-by: Gert Doering <gert@greenie.muc.de> 2025-07-07 09:34:39 -04:00			`*************************************************************************`
			`To build WolfSSL with post-quantum KEMs built in, the following command is used:`

			`./configure --enable-openvpn --enable-kyber=all --enable-curve25519`

			`WolfSSL supports the following post-quantum KEMs and post-quantum hybrid KEMs which must be specified`
			`using the tls-groups option in an OpenVPN config. Unlike OpenSSL, which includes X25519MLKEM768`
			`in the default config, WolfSSL requires explicit configuration of tls-groups to include`
			`at least one post-quantum KEM.`

			`ML_KEM_512`
			`ML_KEM_768`
			`ML_KEM_1024`

			`P256_ML_KEM_512`
			`X25519_ML_KEM_512`

			`P384_ML_KEM_768`
			`P256_ML_KEM_768`
			`X448_ML_KEM_768`
			`X25519_ML_KEM_768`

			`P384_ML_KEM_1024`
			`P521_ML_KEM_1024`

			`The naming conventions of algorithms differ between WolfSSL and OpenSSL. An example is that`
			`OpenSSL omits underscores for their naming notation whereas WolfSSL expects them. Additionally,`
			`OpenSSL does not accept the P curve notation and instead uses the equivalent secp notation.`
			`A specific example is that WolfSSL expects P384_ML_KEM_1024, while OpenSSL expects secp384r1MLKEM1024.`