Opened 5 years ago

Closed 4 years ago

#1080 closed Feature Wish (worksforme)

OpenVPN 2.4.6-I602 tls-version-{min,max} 1.3

Reported by: joenas Owned by:
Priority: minor Milestone:
Component: Configuration Version: OpenVPN 2.4.6 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: tls 1.3
Cc: Steffan Karger, Samuli Seppänen


In the change logs in OpenVPN 2.4.5 support for TLS 1.3 in --tls-version-{min, max} is added. This change was introduced in the following mailing list by Steffan Karger.

On my windows 10 device I downloaded the latest version of OpenVPN 2.4.6. When connection to my server I use the OpenVPN GUI 11.10.0/2.4.6. With this setup I can create a succesfull connection when I specify the tls-version to be 1.2

tls-version-min 1.2
tls-version-max 1.2

(or both)

However when changing the configuration to use the tls-version-{min,max} to 1.3

tls-version-min 1.3
tls-version-max 1.3

The OpenVPN GUI 11.10.0/2.4.6 client stops with the error

Client with management interface failed.
Look at log file for more information

The log show the following information when using the tls-version-min 1.3 option:

Options error: unknown tls-version-min parameter: 1.3
Use --help for more information.

The log show the following information when using the tls-version-max 1.3 option:

Options error: unknown tls-version-max parameter: 1.3
Use --help for more information.

My question is:

1) Do you have an example of any correct Client configuration, to create an OpenVPN TLS v1.3 connection?


2) Do you have any suggestions on how I could better debug my current setup to get OpenVPN to use TLS v1.3?

Change History (6)

comment:1 Changed 5 years ago by Gert Döring

Cc: Steffan Karger Samuli Seppänen added
Keywords: tls added; ts removed
Type: Bug / DefectFeature Wish

The commit message states

commit 59dbb8602f30d278bd152a4a736c2af8345368eb
Author: Steffan Karger <steffan@…>
Date: Sun Nov 26 15:15:54 2017 +0100

Add support for TLS 1.3 in --tls-version-{min, max}

Tested with the current openssl master branch for TLS 1.3 support.

looking at I can see that OpenSSL 1.1.0 (which is what we build with, for Windows) does not have TLS 1.3 support yet. In other words, you'll need to re-build OpenVPN with a newer OpenSSL version.

Maybe we can create testing versions of the 2.4.7 installer with OpenSSL 1.1.1 - but this won't happen in the next few weeks (vacation time...)

comment:2 Changed 5 years ago by Selva Nair

As OpenSSL 1.1.1 is ABI compatible (?) with 1.1.0, it would have been sufficient to just replace the openssl library. But, unfortunately, we fix the maximum supported version at build-time based on some preprocessor variables. Probably there is no easy way to check the supported versions at run time?

comment:3 Changed 5 years ago by Gert Döring

On Windows, "just replace the openssl library" might be about as much work as "use the build system to build a new installer with 1.1.1" :-)

As for the run-time check - leaving that to Steffan

comment:5 Changed 4 years ago by Antonio Quartulli

@syzzer @cron2 it seems the issue reported in this ticket does not exist. Can we close it? Or do we want to convert it in "implement runtime check against supported tls-version" ?

comment:6 Changed 4 years ago by Steffan Karger

Resolution: worksforme
Status: newclosed

Just checked if openssl provides a suitable run-time supported versions check, but couldn't find anything.

So - at least for now - recompile it is.

I'm closing this ticket because it works fine if you recompile. If anyone wants to further investigate run time checks, feel free to open a feature request ticket.

Note: See TracTickets for help on using tickets.