diff options
author | Steffan Karger <steffan@karger.me> | 2015-03-10 20:26:45 +0100 |
---|---|---|
committer | Gert Doering <gert@greenie.muc.de> | 2015-04-13 21:32:00 +0200 |
commit | 8dc6ed28941cb9b9167e0b466e96b5f11359eb59 (patch) | |
tree | f07d779696e31f53a852779a832d5d3fea44d1dc /src/openvpn/options.c | |
parent | c7f3fd9c603bfd9cef600316d5e76210e6cf54a7 (diff) | |
download | openvpn-8dc6ed28941cb9b9167e0b466e96b5f11359eb59.tar.gz openvpn-8dc6ed28941cb9b9167e0b466e96b5f11359eb59.tar.xz openvpn-8dc6ed28941cb9b9167e0b466e96b5f11359eb59.zip |
Re-enable TLS version negotiation by default
Re-enable TLS version negotiation by default, so that users
benefit from the stronger and better crypto of TLSv1.1 and
TLSv1.2, without having to add 'tls-version-min' to their
config files.
We tried this before in 2.3.3, but got various reports of people
no longer being able to connect. Back then, we did not have a
way for users to control the TLS version. We now have
--tls-version-min and --tls-version-max, and even automatically
set --tls-version-max to 1.1 if --cryptoapi is used, because
the cryptoapi code is incompatible with TLS 1.2.
To make sure users can fall back to the _exact_ old default
behaviour, not only limit the TLS version to 1.0 if
--tls-version-max 1.0 is set, but also keep using the API calls
TLSv1_{client,server}_method(), instead of the ones that support
negotiation (SSLv23_{client,server}_method()). (Yes, the naming
is awkward, but 'SSLv23' really means 'enable negotiation' in
OpenSSL-API language.
This patch is for the release/2.3 branch only.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Matthias Andree <matthias.andree@gmx.de>
Message-Id: <1426015605-4068-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9542
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'src/openvpn/options.c')
0 files changed, 0 insertions, 0 deletions