diff options
author | Antonio Quartulli | 2021-09-13 21:29:29 +0200 |
---|---|---|
committer | Gert Doering | 2021-09-21 13:24:26 +0200 |
commit | 968569f83b1561ea4dff5b8b1f0d7768e2a18e69 (patch) | |
tree | fc057b453dcaa2142e823037c822782bd0f2d374 /Changes.rst | |
parent | cdef503b646087f9284b53e01c64988c98879c36 (diff) | |
download | openvpn-968569f83b1561ea4dff5b8b1f0d7768e2a18e69.zip openvpn-968569f83b1561ea4dff5b8b1f0d7768e2a18e69.tar.gz |
Set TLS 1.2 as minimum by default
Do not accept handshakes with peers trying to negotiate TLS lower than 1.2.
TLS 1.1 and 1.0 are not recommended and therefore we will, by default,
allow TLS 1.2 as minimum version.
The minimum allowed version can still be controlled via
'--tls-version-min'.
At the same time automatically set '--tls-version-min' to 1.0 if the
user requires compatibility with versions onlder than 2.3.7, as that was
the only version supported back then.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210913192929.26391-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22838.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'Changes.rst')
-rw-r--r-- | Changes.rst | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/Changes.rst b/Changes.rst index 2393e31..d24b6d2 100644 --- a/Changes.rst +++ b/Changes.rst @@ -71,6 +71,11 @@ Deprecated features This option mainly served a role as debug option when NCP was first introduced. It should now no longer be necessary. +TLS 1.0 and 1.1 are deprecated + ``tls-version-min`` is set to 1.2 by default. OpenVPN 2.6.0 defaults + to a minimum TLS version of 1.2 as TLS 1.0 and 1.1 should be generally + avoided. Note that OpenVPN versions older than 2.3.7 use TLS 1.0 only. + ``--cipher`` argument is no longer appended to ``--data-ciphers`` by default. Data cipher negotiation has been introduced in 2.4.0 and been significantly improved in 2.5.0. The implicit fallback |