On 21.04.2014 12:42, Gert Doering wrote:
Hi,
On Mon, Apr 21, 2014 at 12:24:30PM +0200, Steffan Karger wrote:
On 21-04-14 09:10, James Yonan wrote:
For OpenSSL, this means to use TLSv1_(client|server)_method rather
than SSLv23_(client|server)_method combined with SSL_OP_NO_x flags
for specific TLS versions to disable.
I'm not sure I understand the rationale behind this. If I don't specify
a minimum version, my maximum version changes to TLS 1.0? Could you
maybe explain the "why" for this patch?
"turn it off!", without introducing yet another config directive (or,
more precisely, "do not turn it on by default" if I read the patch right).
There seem to be some not-yet-fully-understood combinations of OpenSSL
library versions/library builds that will break 2.3.3 clients <-> git-master
servers if the TLS version negotiation patch is active, so having a way
to turn it off at run-time (if only to see if that is the problem) is
certainly useful.
Yes. But with this patch it is always turned off, keeping OpenVPN in 99%
of installations in TLS 1.0. Is there any other known case where it
breaks aside from the Tomato OpenVPN client?
Arne
