Opened 6 years ago
Closed 6 years ago
#1080 closed Feature Wish (worksforme)
OpenVPN 2.4.6-I602 tls-version-{min,max} 1.3
| Reported by: | joenas | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | Configuration | Version: | OpenVPN 2.4.6 (Community Ed) |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | tls 1.3 |
| Cc: | Steffan Karger, Samuli Seppänen |
Description
In the change logs in OpenVPN 2.4.5 support for TLS 1.3 in --tls-version-{min, max} is added. This change was introduced in the following mailing list by Steffan Karger.
On my windows 10 device I downloaded the latest version of OpenVPN 2.4.6. When connection to my server I use the OpenVPN GUI 11.10.0/2.4.6. With this setup I can create a succesfull connection when I specify the tls-version to be 1.2
tls-version-min 1.2
or
tls-version-max 1.2
(or both)
However when changing the configuration to use the tls-version-{min,max} to 1.3
tls-version-min 1.3
or
tls-version-max 1.3
The OpenVPN GUI 11.10.0/2.4.6 client stops with the error
Client with management interface failed. Look at log file for more information
The log show the following information when using the tls-version-min 1.3 option:
Options error: unknown tls-version-min parameter: 1.3 Use --help for more information.
The log show the following information when using the tls-version-max 1.3 option:
Options error: unknown tls-version-max parameter: 1.3 Use --help for more information.
My question is:
1) Do you have an example of any correct Client configuration, to create an OpenVPN TLS v1.3 connection?
Or
2) Do you have any suggestions on how I could better debug my current setup to get OpenVPN to use TLS v1.3?
Change History (6)
comment:1 Changed 6 years ago by
| Cc: | Steffan Karger Samuli Seppänen added |
|---|---|
| Keywords: | tls added; ts removed |
| Type: | Bug / Defect → Feature Wish |
comment:2 Changed 6 years ago by
As OpenSSL 1.1.1 is ABI compatible (?) with 1.1.0, it would have been sufficient to just replace the openssl library. But, unfortunately, we fix the maximum supported version at build-time based on some preprocessor variables. Probably there is no easy way to check the supported versions at run time?
comment:3 Changed 6 years ago by
On Windows, "just replace the openssl library" might be about as much work as "use the build system to build a new installer with 1.1.1" :-)
As for the run-time check - leaving that to Steffan
comment:4 Changed 6 years ago by
Already explained this:
https://forums.openvpn.net/viewtopic.php?f=23&t=26776#p80131
comment:5 Changed 6 years ago by
@syzzer @cron2 it seems the issue reported in this ticket does not exist. Can we close it? Or do we want to convert it in "implement runtime check against supported tls-version" ?
comment:6 Changed 6 years ago by
| Resolution: | → worksforme |
|---|---|
| Status: | new → closed |
Just checked if openssl provides a suitable run-time supported versions check, but couldn't find anything.
So - at least for now - recompile it is.
I'm closing this ticket because it works fine if you recompile. If anyone wants to further investigate run time checks, feel free to open a feature request ticket.
The commit message states
commit 59dbb8602f30d278bd152a4a736c2af8345368eb
Author: Steffan Karger <steffan@…>
Date: Sun Nov 26 15:15:54 2017 +0100
looking at https://wiki.openssl.org/index.php/TLS1.3 I can see that OpenSSL 1.1.0 (which is what we build with, for Windows) does not have TLS 1.3 support yet. In other words, you'll need to re-build OpenVPN with a newer OpenSSL version.
Maybe we can create testing versions of the 2.4.7 installer with OpenSSL 1.1.1 - but this won't happen in the next few weeks (vacation time...)