When tls-version-min is unspecified, revert to original versioning approach.

For OpenSSL, this means to use TLSv1_(client|server)_method rather
than SSLv23_(client|server)_method combined with SSL_OP_NO_x flags
for specific TLS versions to disable.

For PolarSSL, this means to implicitly control the TLS version via allowed
ciphersuites.

Point out off-by-default-now setting in the openvpn(8) man page.

This patch is only included in the release/2.3 branch, because it's a
stopgap measure.  2.4 will have it on-by-default, when the remaining
handshake problems are fully debugged and solved.

Signed-off-by: James Yonan <james@openvpn.net>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: James Yonan <james@openvpn.net>
Message-Id: <535EC5FE.6060302@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8665
Signed-off-by: Gert Doering <gert@greenie.muc.de>

1 files changed, 7 insertions, 1 deletions

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 7a33f8a..ec56030 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -4275,12 +4275,18 @@ above).
 .\"*********************************************************
 .TP
 .B \-\-tls-version-min version ['or-highest']
-Sets the minimum
+Enable TLS version negotiation, and set the minimum
 TLS version we will accept from the peer (default is "1.0").
 Examples for version
 include "1.0", "1.1", or "1.2".  If 'or-highest' is specified
 and version is not recognized, we will only accept the highest TLS
 version supported by the local SSL implementation.
+
+If this options is not set, the code in OpenVPN 2.3.4 will default
+to using TLS 1.0 only, without any version negotiation.  This reverts
+the beaviour to what OpenVPN versions up to 2.3.2 did, as it turned
+out that TLS version negotiation can lead to handshake problems due
+to new signature algorithms in TLS 1.2.
 .\"*********************************************************
 .TP
 .B \-\-pkcs12 file