Opened 3 years ago

Closed 7 months ago

#1211 closed Bug / Defect (wontfix)

Setting "tls-version-min" with its default value behaves differently from not setting it at all

Reported by: sumpfralle Owned by:
Priority: minor Milestone:
Component: Documentation Version:
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc: Steffan Karger


In our wireless community there are still some clients using v2.3.6.
After an upgrade of the server from v2.4.0 (Debian Stretch) to v2.4.7 (Debian Buster) older clients (v2.3.6) failed to connect with the server. Newer clients (v2.4.4) work as before.

The failure is explained by the following message on the server:

TLS error: Unsupported protocol. This typically indicates that client and server have no common TLS version enabled. This can be caused by mismatched tls-version-min and tls-version-max options on client and server. If your OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 1.0 to the client configuration to use TLS 1.0+ instead of TLS 1.0 only

The failure can be worked around (based on the above suggestion) with setting tls-version-min 1.0 either in the client or the server configuration.

This behaviour is rather confusing, since the man page of openvpn indicates, that "1.0" is indeed the default value for "tls-version-min". Thus I am surprised, that this setting works differently when being undefined (i.e. using the default) or being explicitly set to its default value.

Maybe the man page should describe the difference between setting the value to its default and omitting it? Or maybe the effective default value in v2.4.7 is not really "1.0" anymore?

Change History (4)

comment:1 Changed 3 years ago by tct


comment:2 Changed 2 years ago by Gert Döring

Cc: Steffan Karger added

Looking through our git logs, this seems to be a bit complicated if OpenSSL 1.1.1 is involved, which does things different...

commit a25a278c1ccdbfd9ca06f60f2cc4cf2436269854
Author: Steffan Karger <steffan@…>
Date: Sat Jan 20 10:42:28 2018 +0100

Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+

As described in <80e6b449-c536-dc87-7215-3693872bce5a@…> on
the openvpn-devel mailing list, --tls-version-min no longer works with
OpenSSL 1.1. Kurt Roeckx posted in a debian bug report:

"This is marked as important because if you switch to openssl 1.1.0
the defaults minimum version in Debian is currently TLS 1.2 and
you can't override it with the options that you're currently using
(and are deprecated)."

now, that patch went into 2.4.5 release - so it should fix things for Debian Buster with 2.4.7.

No idea what is really happening there. Copying in syzzer, he might know.

comment:3 Changed 7 months ago by plaisthos

The default with OpenVPN (iirc <= 2.3.7) is indeed 1.0 *only*. But using tls-version-min 1.2 uses then 1.0+, enabling TLS 1.2 too. Later version (which man page you probably looked at), have 1.0+ as default.

comment:4 Changed 7 months ago by plaisthos

Resolution: wontfix
Status: newclosed

I am closing this as wontfix since we will not fix the behaviour of 2.3 to be different.

Note: See TracTickets for help on using tickets.