On Sun, 2018-11-04 at 18:43 +0100, Kurt Roeckx wrote: > Older versions of openvpn only support TLS 1.0 because they told > OpenSSL to only use TLS 1.0. Adding the --tls-version-min 1.0 > should make it support all TLS versions since openvpn 2.3.4 or > something like that, and I think 2.4 or newer should just work.
There's a difference: if you don't specify the command line tls- version-min, it actually asks openssl for the minimum version. If you do specify, it takes what you tell it. > But if you changed the openssl.cfg to say all versions are > supported, it should work too, I'm not sure why you say otherwise. Well, obviously because it doesn't work as the log attached in the bug report shows. The values I have in openssl.cnf are the recommended MinProtocol = None CipherString = DEFAULT And it definitely works because imap has an android client at 0.9.8 which didn't work before the addition of that. The openssl code looks to use SSL_CTX_get_min_proto_version() if you don't specify a version, so it finds a protocol below tls 1.0 to present which causes the error. From the ordering in openssl, this is likely to be SSLv3, isn't it? The bug here is that you shouldn't kill the negotiation just because the client offers to support SSLv3, you should move on to negotiate a more secure cipher and only error out if the client can't support any protocols openssl is told to consider secure. James
