Hi,
On Tue, Apr 21, 2020 at 2:27 PM Bernhard Schmidt <be...@birkenwald.de> wrote: > Am 21.04.20 um 12:18 schrieb Arne Schwabe: > > Hi, > > >>> I am attaching my /etc/ssl/openssl.cnf (if for some reason it fails, I > will > >>> paste the contents instead). As far as I know, this is the default > >>> /etc/ssl/ openssl.cnf file that comes with Debian, except the > "MinProtocol" > >>> parameter, which I had to change for one specific VPN to work (it was > using > >>> TLSv1.0 instead of TLSv1.2). > >> > >> It seems that the culprit is the (non-default) setting MinProtocol = > TLSv1.0, > >> which I had to modify to be able to use a specific VPN server. > Changing the > >> value to "MinProtocol = TLSv1.2" does not produce the error anymore. > > > > Sidenote. That MinProtocol = TLSv1.0 is wrong. It needs to be > > MinProtocol = TLSv1 for obvious reasons :P > > > > Anyway here is a patch that fixes the problem of not loading > > certificates: https://patchwork.openvpn.net/patch/1095/ > > Cool, thanks. > > Jonas, can you test that "MinProtocol = TLSv1" works? Do you need a > test-build for 2.4.9 with that patch applied? > > I tried with my OpenVPN installation, with no patch, but using the correct value "TLSv1" instead of TLSv1.0 (which OpenSSL and OpenVPN previously accepted as valid, probably being lax about the syntax), and I cannot reproduce the issue anymore. This is, I can connect with my certificate even if using "MinProtocol = TLSv1" instead of "MinProtocol = TLSv1.2". Anyway, if you want me to try a patched test-build, I would be happy to (and preferred, as I can do that quickly, but would take a bit more time to prepare a build environment to build the package myself). > Bernhard > Thanks, Jonas.
