Hi, this breaks *all* client connects on my server testbed. No matter if 2.2 or 2.5 client, when building with mbedtls (2.28.7), the resulting binary refuses ALL incoming connection with
Jun 19 10:21:44 gentoo tap-udp-p2mp[1723]: 2001:608:0:814::f000:16 tls_version_to_ssl_version: invalid or unsupported TLS version 1 Jun 19 10:21:44 gentoo tap-tcp-p2p[1770]: tls_version_to_ssl_version: invalid or unsupported TLS version 1 Jun 19 10:21:59 gentoo tun-tcp-p2mp[1708]: tls_version_to_ssl_version: invalid or unsupported TLS version 1 Jun 19 10:22:32 gentoo tun-udp-p2mp[1713]: 194.97.140.21:49229 tls_version_to_ssl_version: invalid or unsupported TLS version 2 Jun 19 10:23:05 gentoo tun-udp-p2mp-topology-subnet[1718]: 194.97.140.21:45789 tls_version_to_ssl_version: invalid or unsupported TLS version 1 Jun 19 10:24:11 gentoo tun-udp-p2mp-fragment[1746]: 194.97.140.21:14517 tls_version_to_ssl_version: invalid or unsupported TLS version 1 Jun 19 10:44:49 gentoo tun-udp-p2mp-112-mask[1741]: 194.97.140.21:42810 tls_version_to_ssl_version: invalid or unsupported TLS version 1 so my guess would be that on mbedTLS builds that *do* support 1.1/1.2, incoming client connects with 1.1/1.2 cause "something to get upset" in the TLS version printer. Sorry for not testing this more thoroughly before merging. gert On Tue, Jun 18, 2024 at 06:30:05PM +0200, Gert Doering wrote: > Mildly tested via GHA builds. > > Not sure we want this in release/2.6 - I tend to "not", because it might > break someone's (non-recommended) setup... > > Your patch has been applied to the master branch. > > commit 013c119af96bc57c41e04e4a8f64b5d80e2e9ba6 > Author: Max Fillinger > Date: Tue Jun 18 14:02:19 2024 +0200 > > mbedtls: Remove support for old TLS versions > > Signed-off-by: Max Fillinger <maximilian.fillin...@foxcrypto.com> > Acked-by: Arne Schwabe <arne-open...@rfc2549.org> > Message-Id: <20240618120219.5053-1-g...@greenie.muc.de> > URL: > https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28773.html > Signed-off-by: Gert Doering <g...@greenie.muc.de> > > > -- > kind regards, > > Gert Doering > > > > _______________________________________________ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel > -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
