[Pkg-openssl-devel] Bug#871987: Bug#871987: openvpn

Kurt Roeckx kurt at roeckx.be
Fri Aug 25 18:58:31 UTC 2017


On Fri, Aug 25, 2017 at 11:07:16PM +0800, Gedalya wrote:
> I tried openssl 1.1.0f-5 and it is indeed better with e.g. s_client.

After the upload I've been wondering if I should change it to
default set the minimum version to 1.0 again.


> However, I've locally built openvpn (and pkcs11-helper) with openssl 1.1.0.
> I'm not sure whether this is a bug with openvpn or an issue with this latest
> patch to openssl, but I've tried both these settings:
> 
> tls-version-min 1.0
> tls-version-max 1.0
> 
> in an openvpn client config, connecting to an old server supporting only
> TLS 1.0, and it doesn't work. It did of course work with with openssl 1.1.0f-3.
> with 1.1.0f-5, I get:

openvpn doesn't seem to make use of the
SSL_CTX_set_min_proto_version() function yet. I've attached a
patch that I didn't even try to compile that I think should do the
right thing.


Kurt

-------------- next part --------------
A non-text attachment was scrubbed...
Name: openvpn-version.patch
Type: text/x-diff
Size: 1396 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20170825/57b3cad4/attachment-0001.patch>


More information about the Pkg-openssl-devel mailing list