On Sun, Nov 04, 2018 at 12:49:48PM -0800, James Bottomley wrote: > On Sun, 2018-11-04 at 21:30 +0100, Kurt Roeckx wrote: > > On Sun, Nov 04, 2018 at 12:13:43PM -0800, James Bottomley wrote: > > > > > > No, I'm saying with no client tls-version-min specified at all (the > > > usual default openvpn config) it fails in 1.1.1 and works with > > > 1.1.0 > > > > > > With client tls-version-min set to 1.0 it works with both. > > > > Yes, and that's totally what I expected, and have been explaining. > > The 2.3.X version only want to do TLS 1.0 unless you specify > > "tls-version-min 1.0", in which case they also do TLS 1.2. > > You're implying openvpn doesn't pick up the openssl.cnf changes so I > have to set tls-version-min 1.0 in the server side configuration? OK, > that works too.
Your client doesn't support the settings in the openssl.cfg file. Your openvpn client by defaults does TLS 1.0 only. The only way for your client to do something other than TLS 1.0 is set the tls-version-min variable to something. If you set it to 1.0, it will do any version supported by the openssl library higher than 1.0. > > So I'm failing to see what this bug report is about. > > When you upgrade from openssl 1.1.0 to 1.1.1 causes an openvpn > connection failure which the upgrade instructions don't fix. It also > seems to me there are probably quite a few other openssl.cnf blind > applications in the system which will fail in a similar fashion. This is on the server side. As far as I know, changing the openssl.cnf file should just work. openvpn in testing takes the minimum of the openssl.cfg value and TLS 1.0. So if you set None, it should set TLS 1.0 as minimum. I assume you don't set a minimum tls version in your openvpn config file or on the command line. Kurt
