OpenSSL v1.1.1 ssl_choose_client_version unsupported protocol [closed]

Answer 1

You can even directly override the system default e.g. by using:

tls-cipher "DEFAULT:@SECLEVEL=1"

to have a basic configuration that matches normal OpenSSL defaults. Note that OpenVPN normally sets a more restricted cipher list (see man page).

Answer 2

You don't have to downgrade OpenSSL or change the system default.

Instead of modifying /etc/ssl/openssl.cnf you can just configure the openvpn client to configure libssl with a different minimum protocol version. The option is --tls-version-min or tls-version-min in a config file.

It's still preferable to upgrade the server but this is a better way to deal with a temporary version skew.

Answer 3

You don't have to downgrade OpenSSL.

With the introduction of openssl version 1.1.1 in Debian the defaults are set to more secure values by default. This is done in the /etc/ssl/openssl.cnf config file. At the end of the file there is:

[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=2

Debian now require as minimum the TLS 1.2 version instead TLS 1.0. If the other side does not support TLS 1.2 or higher you will get some connection errors.

I recommend upgrade openvpn on server to newer version which support TLS 1.2..

Second options (not much secure) is modify MinProcotol to TLSv1 or TLSv1.1.