Hi, On 16/04/15 17:08, Chris Ross wrote: >> On Apr 16, 2015, at 10:44, Jan Just Keijser <janj...@nikhef.nl> wrote: >> this is important info - openssl 0.9.9. is fairly old, but still supported >> by OpenVPN; however, it seems that the default cipher chosen by your openssl >> lib is an SSLv2 one. > Great info! Thanks again much for all of your help… > >> Can you try adding the flag >> tls-version-min 1 >> to the server config? > Not with openvpn 2.3.6, it seems: > > Apr 16 10:47:11 bifröst openvpn[6175]: Options error: unknown tls-version-min > parameter: 1 > > Using “1.0" parses, but doesn’t fix the problem. Same results. Trying > 1.1 or 1.2 produce the same "unknown tls-version-min parameter” error on > startup. that actually makes sense; I thought the parameter "1" would default to TLSv1 ; TLS v1.1 and v1.2 are not supported in OpenSSL 0.99 hence those options are not accepted. >> Alternatively, upgrade openssl to 1.0.1 on the server side. You can link >> openvpn against a custom version of OpenSSL so you won't have to upgrade the >> system library. > Hmm. I don’t _want_ to have two openssl libraries on the system, but it > is something I can do if needed. Anything else I can try to manually specify > a TLS cipher on the server side, first? > > I don't know - it's not really a TLS cipher that you want, but a TLSv1 connection - the nomenclature is overloaded, however. It does look like a bug in your local openssl lib, as openvpn 2.3.6 works fine with TLSv1 on CentOS 5, which still uses openssl 0.9.8 . You can also build and link openvpn statically against an OpenSSL (or even PolarSSL) library so that you would not have a second openssl.so file lying around.
I don't think there are any other options to force a TLSv1 connection in OpenVPN, but I hope someone can correct me on this. HTH, JJK ------------------------------------------------------------------------------ BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
