Setting "tls-version-min" with its default value behaves differently from not setting it at all

[sumpfralle]

In our wireless community there are still some clients using v2.3.6.
After an upgrade of the server from v2.4.0 (Debian Stretch) to v2.4.7 (Debian Buster) older clients (v2.3.6) failed to connect with the server. Newer clients (v2.4.4) work as before.

The failure is explained by the following message on the server:

TLS error: Unsupported protocol. This typically indicates that client and server have no common TLS version enabled. This can be caused by mismatched tls-version-min and tls-version-max options on client and server. If your OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 1.0 to the client configuration to use TLS 1.0+ instead of TLS 1.0 only

The failure can be worked around (based on the above suggestion) with setting tls-version-min 1.0 either in the client or the server configuration.

This behaviour is rather confusing, since the man page of openvpn indicates, that "1.0" is indeed the default value for "tls-version-min". Thus I am surprised, that this setting works differently when being undefined (i.e. using the default) or being explicitly set to its default value.

Maybe the man page should describe the difference between setting the value to its default and omitting it? Or maybe the effective default value in v2.4.7 is not really "1.0" anymore?

[tincantech]

CC