[Pkg-openssl-devel] Bug#912864: openssl: new version of openssl breaks some openvpn clients
James Bottomley
James.Bottomley at HansenPartnership.com
Fri Feb 8 01:55:59 GMT 2019
On Thu, 2019-02-07 at 22:55 +0100, Jean-Marc wrote:
> On Mon, 26 Nov 2018 23:41:13 +0100 Sebastian Andrzej Siewior <sebasti
> an at breakpoint.cc> wrote:
> > On 2018-11-04 22:15:04 [+0100], Kurt Roeckx wrote:
> > > > You're implying openvpn doesn't pick up the openssl.cnf changes
> > > > so I have to set tls-version-min 1.0 in the server side
> > > > configuration? OK, that works too.
> > >
> > > Your client doesn't support the settings in the openssl.cfg file.
> > > Your openvpn client by defaults does TLS 1.0 only. The only way
> > > for your client to do something other than TLS 1.0 is set the
> > > tls-version-min variable to something. If you set it to 1.0, it
> > > will do any version supported by the openssl library higher than
> > > 1.0.
> >
> > James, is everything okay/clear? The tls-version-min option for the
> > older OpenVPN version should have fixed things. Is there anything
> > else or can this be considered done?
> >
> > > Kurt
> >
> > Sebastian
>
> Hi James,
>
> May I ask you if you got all the answers you needed and if it fixed
> the problem.
Yes, I said that in the initial quote: setting tls-version-min in
openssl.cnf works, and that's what I've done. It's just unexpected
that you have to update your openvpn config files.
James
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-openssl-devel/attachments/20190207/d936f92f/attachment.sig>
More information about the Pkg-openssl-devel
mailing list