On 23/04/2014 18:22, Timothe Litt wrote:
I don't see that cryptoapi.c has been updated to work with TLS 1.2.
Yes, just came to the same conclusion.
Long-term the key-loaders need to get updated.
Maybe short-term the options that invoke them could force NO_TLSv_1_2...
That would make things work for most people in the short term.
One option would be to have a tls-version-max, but I'm wondering if this
might be overkill.
It would also force people to add "tls-version-max 1.0" to their configs
to go back to the original 2.3 behavior.
My preferred solution is to simply turn off tls-version-min if it's not
specified in the config, and use the 2.3 behavior. That basically
forces TLS 1.0.
I've seen a lot more breakage than just this... I believe the first
significant real-world exposure was the iOS 1.0.2 and 1.0.3 releases
from several months ago. There were hundreds of reports of breakage,
mostly from countries behind government firewalls. This was using
OpenVPN 3 with PolarSSL, so the issue seems to occur with different
OpenVPN and SSL implementations.
James
