Hi, On Wed, Jun 19, 2024 at 01:38:46PM +0000, Maximilian Fillinger wrote: > I *think* I reproduced the problem you're encountering. > > If I put > > setenv opt tls-version-min 1.0 > > in the server config, then *every* connection attempt will trigger a fatal > error in the server. Doesn't matter what TLS versions the client supports. > > If I put that option into the client config, the client will exit with an > error during startup. > > It's not clear to me what the expected behavior is when tls-version-min is an > unsupported version, but if it's an error, it should happen during start-up.
I would argue for - we log "minimum supported version is 1.2" and go on or - we log "minimum supported version is 1.2" and exit both is acceptable. It will break people's setups in different ways, though... the first will pretend all is well, and older clients can no longer connect, while the second one will break everything, so making it more obvious. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel