diff options
author | Daniel Kubec <niel@rtfm.cz> | 2015-03-12 15:14:20 +0100 |
---|---|---|
committer | David Sommerseth <davids@redhat.com> | 2015-10-10 00:02:40 +0200 |
commit | 685e486e8b8f70c25f09590c24762ff734f94a51 (patch) | |
tree | 2352755e34a75ea39f48497d6fb7dc7469330294 /doc | |
parent | 7246ccfdbe6039c5c578ecaa07505307d53b8e84 (diff) | |
download | openvpn-685e486e8b8f70c25f09590c24762ff734f94a51.tar.gz openvpn-685e486e8b8f70c25f09590c24762ff734f94a51.tar.xz openvpn-685e486e8b8f70c25f09590c24762ff734f94a51.zip |
Added support for TLS Keying Material Exporters [RFC-5705]
Keying Material Exporter [RFC-5705] allow additional keying material to be
derived from existing TLS channel. This exported keying material can then be
used for a variety of purposes.
[DS: Updated man page to document both upper and lower length boundaries]
Signed-off-by: Daniel Kubec <niel@rtfm.cz>
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Steffan Karger <steffan.karger@fox-it.com
Acked-by: David Sommerseth <davids@redhat.com>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/openvpn.8 | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/doc/openvpn.8 b/doc/openvpn.8 index e213f5a..829b09c 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -2757,6 +2757,18 @@ client\-connect), then every module and script must return success (0) in order for the connection to be authenticated. .\"********************************************************* +.TP +.B \-\-keying-material-exporter label len +Save Exported Keying Material [RFC5705] of len bytes (must be +between 16 and 4095 bytes) using label in environment +(exported_keying_material) for use by plugins in +OPENVPN_PLUGIN_TLS_FINAL callback. + +Note that exporter labels have the potential to collide with existing PRF +labels. In order to prevent this, labels MUST begin with "EXPORTER". + +This option requires OpenSSL 1.0.1 or newer. +.\"********************************************************* .SS Server Mode Starting with OpenVPN 2.0, a multi-client TCP/UDP server mode is supported, and can be enabled with the |