Hi, On Sun, Aug 18, 2013 at 01:37:15PM +0200, Arne Schwabe wrote: > Am 24.06.13 01:04, schrieb James Yonan: > >This is the TLS versioning patch as discussed in last Thursday's IRC > >meeting. [..] > OpenVPN for Android already ships this change and there seem some > incompatibility. I have a report from a user which reports that against > his OpenVPN server (Tomato Router Firmware - OpenVPN 2.2.2):
So if I understand the issue right, it's caused by OpenSSL 0.96 on the
server side (which is ancient, but obviously still shipping).
I think we have three options now, and need to decide
- tell users "this is how it is, your server side is a gaping security
hole due to ancient OpenSSL (do we have facts to back that?), get
your server upgraded!"
- not overly nice, especially if the user has no real control about
what router firmware bundlers ship
- back out the change
- I'd rather not do that, as 2.3.x will be around for a long time, and
we *want* to be able to use higher TLS versions if possible
- introduce a new option
--talking-to-old-server-disable-tls-nego-yes-stupid-I-know
that will run-time disable TLS negotiation, falling back to the old
code path that only does TLS 1.0
- while making our code even more complex and adding even more option,
this would give us "higher TLS version" security, and a knob to get
back compatibility for those setups where OpenSSL on either side
is too broken to handle TLS 1.1 or 1.2
- we could name this option "--tls-max-version", to complement the
existing --tls-min-version option to leave negotiation enabled, but
set bounds - from some other project, I have learned that there are
combinations of OpenSSL versions where TLS 1.0 and 1.1 negotiate
fine, but 1.2 fails (just hangs) - so that might be a more clean
approach. Add big warning to the log if used .-)
I can neither comment on the problem nor write the code, so I can only
try to get the discussion going to fix this.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany [email protected]
fax: +49-89-35655025 [email protected]
pgpN2T96fEhzL.pgp
Description: PGP signature
