[Pkg-openssl-devel] Bug#912864: Bug#912864: openssl: new version of openssl breaks some openvpn clients

[Kurt Roeckx]

On Sun, Nov 04, 2018 at 12:49:48PM -0800, James Bottomley wrote:
> On Sun, 2018-11-04 at 21:30 +0100, Kurt Roeckx wrote:
> > On Sun, Nov 04, 2018 at 12:13:43PM -0800, James Bottomley wrote:
> > > 
> > > No, I'm saying with no client tls-version-min specified at all (the
> > > usual default openvpn config) it fails in 1.1.1 and works with
> > > 1.1.0
> > > 
> > > With client tls-version-min set to 1.0 it works with both.
> > 
> > Yes, and that's totally what I expected, and have been explaining.
> > The 2.3.X version only want to do TLS 1.0 unless you specify
> > "tls-version-min 1.0", in which case they also do TLS 1.2.
> 
> You're implying openvpn doesn't pick up the openssl.cnf changes so I
> have to set tls-version-min 1.0 in the server side configuration?  OK,
> that works too.  

Your client doesn't support the settings in the openssl.cfg file. Your
openvpn client by defaults does TLS 1.0 only. The only way for your client
to do something other than TLS 1.0 is set the tls-version-min variable
to something. If you set it to 1.0, it will do any version
supported by the openssl library higher than 1.0.

> > So I'm failing to see what this bug report is about.
> 
> When you upgrade from openssl 1.1.0 to 1.1.1 causes an openvpn
> connection failure which the upgrade instructions don't fix.  It also
> seems to me there are probably quite a few other openssl.cnf blind
> applications in the system which will fail in a similar fashion.

This is on the server side. As far as I know, changing the
openssl.cnf file should just work. openvpn in testing takes the
minimum of the openssl.cfg value and TLS 1.0. So if you set None,
it should set TLS 1.0 as minimum. I assume you don't set a minimum
tls version in your openvpn config file or on the command line.


Kurt