[Pkg-openssl-devel] Bug#912864: Bug#912864: openssl: new version of openssl breaks some openvpn clients
James Bottomley
James.Bottomley at HansenPartnership.com
Sun Nov 4 18:19:00 GMT 2018
On Sun, 2018-11-04 at 18:43 +0100, Kurt Roeckx wrote:
> Older versions of openvpn only support TLS 1.0 because they told
> OpenSSL to only use TLS 1.0. Adding the --tls-version-min 1.0
> should make it support all TLS versions since openvpn 2.3.4 or
> something like that, and I think 2.4 or newer should just work.
There's a difference: if you don't specify the command line tls-
version-min, it actually asks openssl for the minimum version. If you
do specify, it takes what you tell it.
> But if you changed the openssl.cfg to say all versions are
> supported, it should work too, I'm not sure why you say otherwise.
Well, obviously because it doesn't work as the log attached in the bug
report shows.
The values I have in openssl.cnf are the recommended
MinProtocol = None
CipherString = DEFAULT
And it definitely works because imap has an android client at 0.9.8
which didn't work before the addition of that.
The openssl code looks to use SSL_CTX_get_min_proto_version() if you
don't specify a version, so it finds a protocol below tls 1.0 to
present which causes the error. From the ordering in openssl, this is
likely to be SSLv3, isn't it?
The bug here is that you shouldn't kill the negotiation just because
the client offers to support SSLv3, you should move on to negotiate a
more secure cipher and only error out if the client can't support any
protocols openssl is told to consider secure.
James
More information about the Pkg-openssl-devel
mailing list