diff options
author | James Yonan <james@openvpn.net> | 2014-04-28 22:52:11 +0200 |
---|---|---|
committer | Gert Doering <gert@greenie.muc.de> | 2014-04-30 10:23:18 +0200 |
commit | a291825f7145679e6d1806029290402d0430b465 (patch) | |
tree | dfccebaffa3786f7bb4b322ca84b83d878d6bca8 /doc | |
parent | d08a6a94e14a73b62603500b9a1a89cb9ec5cb2f (diff) | |
download | openvpn-a291825f7145679e6d1806029290402d0430b465.tar.gz openvpn-a291825f7145679e6d1806029290402d0430b465.tar.xz openvpn-a291825f7145679e6d1806029290402d0430b465.zip |
When tls-version-min is unspecified, revert to original versioning approach.
For OpenSSL, this means to use TLSv1_(client|server)_method rather
than SSLv23_(client|server)_method combined with SSL_OP_NO_x flags
for specific TLS versions to disable.
For PolarSSL, this means to implicitly control the TLS version via allowed
ciphersuites.
Point out off-by-default-now setting in the openvpn(8) man page.
This patch is only included in the release/2.3 branch, because it's a
stopgap measure. 2.4 will have it on-by-default, when the remaining
handshake problems are fully debugged and solved.
Signed-off-by: James Yonan <james@openvpn.net>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: James Yonan <james@openvpn.net>
Message-Id: <535EC5FE.6060302@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8665
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/openvpn.8 | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 7a33f8a..ec56030 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -4275,12 +4275,18 @@ above). .\"********************************************************* .TP .B \-\-tls-version-min version ['or-highest'] -Sets the minimum +Enable TLS version negotiation, and set the minimum TLS version we will accept from the peer (default is "1.0"). Examples for version include "1.0", "1.1", or "1.2". If 'or-highest' is specified and version is not recognized, we will only accept the highest TLS version supported by the local SSL implementation. + +If this options is not set, the code in OpenVPN 2.3.4 will default +to using TLS 1.0 only, without any version negotiation. This reverts +the beaviour to what OpenVPN versions up to 2.3.2 did, as it turned +out that TLS version negotiation can lead to handshake problems due +to new signature algorithms in TLS 1.2. .\"********************************************************* .TP .B \-\-pkcs12 file |