On 21/04/2014 05:49, Gert Doering wrote:
Hi,
On Mon, Apr 21, 2014 at 01:11:05PM +0200, Arne Schwabe wrote:
Yes. But with this patch it is always turned off, keeping OpenVPN in 99%
of installations in TLS 1.0. Is there any other known case where it
breaks aside from the Tomato OpenVPN client?
http://community.openvpn.net/openvpn/ticket/385
this is the only case I know - and I blaim the openssl library on the
server side (ARM). So for me, "default-on with a way to turn it off" would
be sufficient. But I assume James has much more visibility...
The problem with tls-version-min is that it defaults to 1.0 even if not
used. We've received many reports of breakage with this approach,
probably because setting the min to 1.0 is actually subtly different
from the approach used before tls-version-min was implemented.
So this patch turns off tls-version-min unless it's explicit in the config.
James
