I tried openssl 1.1.0f-5 and it is indeed better with e.g. s_client. However, I've locally built openvpn (and pkcs11-helper) with openssl 1.1.0. I'm not sure whether this is a bug with openvpn or an issue with this latest patch to openssl, but I've tried both these settings:
tls-version-min 1.0 tls-version-max 1.0 in an openvpn client config, connecting to an old server supporting only TLS 1.0, and it doesn't work. It did of course work with with openssl 1.1.0f-3. with 1.1.0f-5, I get: OpenSSL: error:141640BF:SSL routines:tls_construct_client_hello:no protocols available TLS_ERROR: BIO read tls_read_plaintext error TLS Error: TLS object -> incoming plaintext read error TLS Error: TLS handshake failed