On Wed, Nov 29, 2017 at 03:36:14PM +0100, Bernhard Schmidt wrote: > Hi Kurt, > > Steffan has posted a patch for this that is losely based on yours. It is > not merged yet, comments welcome. > > https://sourceforge.net/p/openvpn/mailman/openvpn-devel/thread/20171126141555.25930-1-steffan%40karger.me/#msg36136873
I have some comments: - It has: +/* TLS Version defines are new in OpenSSL 1.1 */ +#ifndef TLS1_0_VERSION +#define TLS1_0_VERSION 0x0301 +#endif +#ifndef TLS1_1_VERSION +#define TLS1_1_VERSION 0x0302 +#endif +#ifndef TLS1_2_VERSION +#define TLS1_2_VERSION 0x0303 +#endif It's TLS1_VERSION (not TLS1_0_VERSION) The defines all exist in at least 1.0.1, the version that added support for TLS 1.1 and 1.2 - It calls SSL_CTX_set_min_proto_version() unconditionally, overriding the library default. In the 1.0.2 case SSLv2 and SSLv3 are then disabled, in the 1.1 case it could enable SSLv3. - openssl_tls_version() should probably add SSL3_VERSION support. Kurt
