Hi,

On Wed, Jun 19, 2024 at 01:38:46PM +0000, Maximilian Fillinger wrote:
> I *think* I reproduced the problem you're encountering.
> 
> If I put
> 
> setenv opt tls-version-min 1.0
> 
> in the server config, then *every* connection attempt will trigger a fatal 
> error in the server. Doesn't matter what TLS versions the client supports.
> 
> If I put that option into the client config, the client will exit with an 
> error during startup.
> 
> It's not clear to me what the expected behavior is when tls-version-min is an 
> unsupported version, but if it's an error, it should happen during start-up.

I would argue for

 - we log "minimum supported version is 1.2" and go on

or 

 - we log "minimum supported version is 1.2" and exit

both is acceptable.  It will break people's setups in different ways,
though...  the first will pretend all is well, and older clients can no
longer connect, while the second one will break everything, so making it
more obvious.

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             g...@greenie.muc.de

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to