Hi, On Wed, Jun 19, 2024 at 01:38:46PM +0000, Maximilian Fillinger wrote: > I *think* I reproduced the problem you're encountering. > > If I put > > setenv opt tls-version-min 1.0 > > in the server config, then *every* connection attempt will trigger a fatal > error in the server. Doesn't matter what TLS versions the client supports. > > If I put that option into the client config, the client will exit with an > error during startup. > > It's not clear to me what the expected behavior is when tls-version-min is an > unsupported version, but if it's an error, it should happen during start-up.
I would argue for
- we log "minimum supported version is 1.2" and go on
or
- we log "minimum supported version is 1.2" and exit
both is acceptable. It will break people's setups in different ways,
though... the first will pretend all is well, and older clients can no
longer connect, while the second one will break everything, so making it
more obvious.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
