On Thu, Mar 07, 2019 at 09:35:59PM +0100, Bernhard Schmidt wrote: > I cannot really reproduce this. OpenVPN 2.4.7 in testing successfully > connects (in tls-client mode) to an OpenVPN 2.4.0 on Stretch. > > Thu Mar 7 21:28:49 2019 Control Channel: TLSv1.2, cipher TLSv1.2 > ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA > > Could it be possible that your server is quite old? > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912650 suggests there > might be an issue connecting to an OpenVPN version that only does > TLSv1.0 by default. > > > A workaround is to add "tls-version-max 1.2" to the OpenVPN config file. > > If you use that workaround, what TLS version is negotiated?
Hi Bernhard, You are absolutely correct. I had thought that the "tls-version-max 1.2" was making it into the config file (thus resolving my issue), but it turns out I was mistaken. The connection is indeed being made with TLS 1.3, and it works just fine. There seems to be a problem with the tool I use to connect, and when executing it a different way (the way I thought was injecting the tls-max-version), all works fine. I'm working with the author of the tool to figure out what's going on there, but I do believe the Debian packages are just fine. Thanks, Matt

