On Sun, 2018-11-04 at 21:30 +0100, Kurt Roeckx wrote: > On Sun, Nov 04, 2018 at 12:13:43PM -0800, James Bottomley wrote: > > > > No, I'm saying with no client tls-version-min specified at all (the > > usual default openvpn config) it fails in 1.1.1 and works with > > 1.1.0 > > > > With client tls-version-min set to 1.0 it works with both. > > Yes, and that's totally what I expected, and have been explaining. > The 2.3.X version only want to do TLS 1.0 unless you specify > "tls-version-min 1.0", in which case they also do TLS 1.2.
You're implying openvpn doesn't pick up the openssl.cnf changes so I have to set tls-version-min 1.0 in the server side configuration? OK, that works too. > So I'm failing to see what this bug report is about. When you upgrade from openssl 1.1.0 to 1.1.1 causes an openvpn connection failure which the upgrade instructions don't fix. It also seems to me there are probably quite a few other openssl.cnf blind applications in the system which will fail in a similar fashion. James
