diff options
author | Antonio Quartulli | 2021-09-13 21:29:29 +0200 |
---|---|---|
committer | Gert Doering | 2021-09-21 13:24:26 +0200 |
commit | 968569f83b1561ea4dff5b8b1f0d7768e2a18e69 (patch) | |
tree | fc057b453dcaa2142e823037c822782bd0f2d374 /doc/man-sections | |
parent | cdef503b646087f9284b53e01c64988c98879c36 (diff) | |
download | openvpn-968569f83b1561ea4dff5b8b1f0d7768e2a18e69.zip openvpn-968569f83b1561ea4dff5b8b1f0d7768e2a18e69.tar.gz |
Set TLS 1.2 as minimum by default
Do not accept handshakes with peers trying to negotiate TLS lower than 1.2.
TLS 1.1 and 1.0 are not recommended and therefore we will, by default,
allow TLS 1.2 as minimum version.
The minimum allowed version can still be controlled via
'--tls-version-min'.
At the same time automatically set '--tls-version-min' to 1.0 if the
user requires compatibility with versions onlder than 2.3.7, as that was
the only version supported back then.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210913192929.26391-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22838.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'doc/man-sections')
-rw-r--r-- | doc/man-sections/generic-options.rst | 2 | ||||
-rw-r--r-- | doc/man-sections/tls-options.rst | 4 |
2 files changed, 4 insertions, 2 deletions
diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index 3e099e1..e6c1fe4 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -70,6 +70,8 @@ which mode OpenVPN is configured as. ``--data-ciphers`` - 2.3.x or lower: ``--data-cipher-fallback`` is automatically added with the same cipher as ``--cipher`` + - 2.3.6 or lower: ``--tls-version-min 1.0`` is added to the configuration + when ``--tls-version-min`` is not explicitly set. --config file Load additional config options from ``file`` where each line corresponds diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst index 00ea063..eaf3839 100644 --- a/doc/man-sections/tls-options.rst +++ b/doc/man-sections/tls-options.rst @@ -545,8 +545,8 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa them. --tls-version-min args - Sets the minimum TLS version we will accept from the peer (default is - "1.0"). + Sets the minimum TLS version we will accept from the peer (default in + 2.6.0 and later is "1.2"). Valid syntax: :: |