diff options
| -rw-r--r-- | Changes.rst | 5 | ||||
| -rw-r--r-- | doc/man-sections/generic-options.rst | 2 | ||||
| -rw-r--r-- | doc/man-sections/tls-options.rst | 4 | ||||
| -rw-r--r-- | src/openvpn/options.c | 15 |
4 files changed, 24 insertions, 2 deletions
diff --git a/Changes.rst b/Changes.rst index 2393e31..d24b6d2 100644 --- a/Changes.rst +++ b/Changes.rst @@ -71,6 +71,11 @@ Deprecated features This option mainly served a role as debug option when NCP was first introduced. It should now no longer be necessary. +TLS 1.0 and 1.1 are deprecated + ``tls-version-min`` is set to 1.2 by default. OpenVPN 2.6.0 defaults + to a minimum TLS version of 1.2 as TLS 1.0 and 1.1 should be generally + avoided. Note that OpenVPN versions older than 2.3.7 use TLS 1.0 only. + ``--cipher`` argument is no longer appended to ``--data-ciphers`` by default. Data cipher negotiation has been introduced in 2.4.0 and been significantly improved in 2.5.0. The implicit fallback diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index 3e099e1..e6c1fe4 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -70,6 +70,8 @@ which mode OpenVPN is configured as. ``--data-ciphers`` - 2.3.x or lower: ``--data-cipher-fallback`` is automatically added with the same cipher as ``--cipher`` + - 2.3.6 or lower: ``--tls-version-min 1.0`` is added to the configuration + when ``--tls-version-min`` is not explicitly set. --config file Load additional config options from ``file`` where each line corresponds diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst index 00ea063..eaf3839 100644 --- a/doc/man-sections/tls-options.rst +++ b/doc/man-sections/tls-options.rst @@ -545,8 +545,8 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa them. --tls-version-min args - Sets the minimum TLS version we will accept from the peer (default is - "1.0"). + Sets the minimum TLS version we will accept from the peer (default in + 2.6.0 and later is "1.2"). Valid syntax: :: diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 4b6655d..b3a83aa 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -3164,6 +3164,21 @@ need_compatibility_before(const struct options *o, unsigned int version) static void options_set_backwards_compatible_options(struct options *o) { + /* TLS min version is not set */ + if ((o->ssl_flags & SSLF_TLS_VERSION_MIN_MASK) == 0) + { + if (need_compatibility_before(o, 20307)) + { + /* 2.3.6 and earlier have TLS 1.0 only, set minimum to TLS 1.0 */ + o->ssl_flags = (TLS_VER_1_0 << SSLF_TLS_VERSION_MIN_SHIFT); + } + else + { + /* Use TLS 1.2 as proper default */ + o->ssl_flags = (TLS_VER_1_2 << SSLF_TLS_VERSION_MIN_SHIFT); + } + } + /* Versions < 2.5.0 do need --cipher in the list of accepted ciphers. * Version 2.4 might probably does not need it but NCP was not so * good with 2.4 and ncp-disable might be more common on 2.4 peers. |