On Sun, Nov 04, 2018 at 11:19:41AM -0800, James Bottomley wrote: > On Sun, 2018-11-04 at 20:15 +0100, Kurt Roeckx wrote: > > This is not at all how the version negiotation in TLS 1.2 and > > below works. The client just indicates the highest version it > > supports, so for instance TLS 1.2. It's then up to the server to > > pick a version that the client supports, so one that is smaller than > > TLS 1.2, and it might pick TLS 1.0 or 1.2. It will then send a server > > hello with that version. > > OK, so I'm weary of trying to construct a theory of what the bug > actually is, why don't you try to come up with one. The symptoms are > that openvpn in openwrt works with server 1.1.0 and fails with server > 1.1.1 if you don't specify tls-version-min 1.0 on the command line.
On which side do you use tls-version-min? Can you please give the version of both openvpn and openssl on both sides. Kurt
