openVPN with TSL 1.3 on LibreSSL. When?

[chemlud]

Hi!

I tried to force one of my openVPN tunnels to require TSL 1.3, but I got in the VPN logs

Code Select Expand

Options error: unknown tls-version-min parameter: 1.3

so apparently LibreSSL/openVPN is not ready for TLS 1.3. I found a rather old discussion in the developers tickest system. Are there any infos when this feature will be available?

Did anybody try to force TLS 1.3 on openVPN with openSSL? Maybe I would switch if it works there...

[mimugmail]

only with 20.1 (FBSD 12.1) which offers OpenSSL 1.1.1 .. libressl, no idea ..

[chemlud]

...even with latest OPNsense und LibreSSL I get:

Code Select Expand

openvpn[14673]: Options error: unknown tls-version-min parameter: 1.3

when I set tls_min_version to 1.3 in the server config. Is this really not possible?

[JSkier]

It's still not complete in libressl:
https://github.com/libressl-portable/portable/issues/228

[chemlud]

Yeah, TLS 1.3 is pure luxury, nothing to really care for...

[fabian]

TLS 1.3 is important as it has many good features like ESNI and 0RTT. ESNI is going to break transparent proxies and hardens TLS against passive espionage because the hostname is not in plaintext anymore. This feature of course needs DoT or DoH to avoid being bypassed by reading the DNS traffic.

[chemlud]

...sorry if you missed the mild irony in my voice ;-)

DoT light I use, would be VERY nice to switch my openVPN tunnels to TLS 1.3. But I don't really want to go back to openSSL.... sigh...

[chemlud]

I don't want to switch 2 senses fro LibreSSL to openSSL just to learn that TLS 1.3 doesn't work for openVPN there either, so:

Is anybody successfully (!) using TLS_minversion 1.3 on openVPN with latest opnsense and openSSL? :O)