[Pkg-openssl-devel] Bug#912864: Bug#912864: openssl: new version of openssl breaks some openvpn clients

James Bottomley James.Bottomley at HansenPartnership.com
Sun Nov 4 20:49:48 GMT 2018


On Sun, 2018-11-04 at 21:30 +0100, Kurt Roeckx wrote:
> On Sun, Nov 04, 2018 at 12:13:43PM -0800, James Bottomley wrote:
> > 
> > No, I'm saying with no client tls-version-min specified at all (the
> > usual default openvpn config) it fails in 1.1.1 and works with
> > 1.1.0
> > 
> > With client tls-version-min set to 1.0 it works with both.
> 
> Yes, and that's totally what I expected, and have been explaining.
> The 2.3.X version only want to do TLS 1.0 unless you specify
> "tls-version-min 1.0", in which case they also do TLS 1.2.

You're implying openvpn doesn't pick up the openssl.cnf changes so I
have to set tls-version-min 1.0 in the server side configuration?  OK,
that works too.  

> So I'm failing to see what this bug report is about.

When you upgrade from openssl 1.1.0 to 1.1.1 causes an openvpn
connection failure which the upgrade instructions don't fix.  It also
seems to me there are probably quite a few other openssl.cnf blind
applications in the system which will fail in a similar fashion.

James



More information about the Pkg-openssl-devel mailing list