Am 27.10.14 22:59, schrieb Steffan Karger: > Hi, > > Since I had to miss the most recent IRC meeting, I'll just put this on > the mailinglist. > > OpenVPN has used TLSv1.0 exclusively for a long time. A few months ago, > TLS version negotiation was added for OpenSSL builds (PolarSSL builds > already had version negotiation), but that triggered quite some problems > at our users. For example, our cryptoapi implementation doesn't support > TLSv1.2 and some external PKCS#11 libraries and tokens refuse to create > TLSv1.2 signatures (which we can't fix ourselves). > > To ease the transition, while we and external vendors fix the various > problems, I propose to add an option '--tls-version-max', similar to the > current '--tls-version-min'. That will enable users to e.g. use TLSv1.1 > on the clients that won't work with 1.2. At least for one of the > problematic setups I encountered, this was a nice way out. > > Attached are two patches that do just that for the 2.3 and master branches. > > Of course this should not stop us from fixing problems with TLSv1.2 (at > least the problems we actually can fix...). ACK. TLS 1.0-1.1 is better than TLS 1.0 only because TLS 1.2 does not work.
I think if this gets commited cryptoapicert should set max-tls-version to 1.1 and warn accordingly. Arne -- Arne Schwabe, M.Sc. - http://www.uni-paderborn.de/cs/cn/ Computer Science, University of Paderborn, Germany, +49 5251 60-1756
