On Thu, Mar 07, 2019 at 09:35:59PM +0100, Bernhard Schmidt wrote:
> I cannot really reproduce this. OpenVPN 2.4.7 in testing successfully
> connects (in tls-client mode) to an OpenVPN 2.4.0 on Stretch.
> 
> Thu Mar  7 21:28:49 2019 Control Channel: TLSv1.2, cipher TLSv1.2
> ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
> 
> Could it be possible that your server is quite old?
> 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912650 suggests there
> might be an issue connecting to an OpenVPN version that only does
> TLSv1.0 by default.
> 
> > A workaround is to add "tls-version-max 1.2" to the OpenVPN config file.
> 
> If you use that workaround, what TLS version is negotiated?

Hi Bernhard,

You are absolutely correct. I had thought that the "tls-version-max 1.2"
was making it into the config file (thus resolving my issue), but it
turns out I was mistaken.

The connection is indeed being made with TLS 1.3, and it works just
fine. There seems to be a problem with the tool I use to connect, and
when executing it a different way (the way I thought was injecting the
tls-max-version), all works fine.

I'm working with the author of the tool to figure out what's going on
there, but I do believe the Debian packages are just fine.

Thanks,
Matt

Reply via email to