Re: [Openvpn-devel] Fwd: Re: [Openvpn-announce] OpenVPN 2.4.0 released

On Thu, Dec 29, 2016 at 5:53 AM, Samuli Seppänen <sa...@op...> wrote: > Hi, > > Any comments about the forwarded email? Is our documentation regarding > "or-highest" correct? > > Samuli > > > -------- Messaggio Inoltrato -------- > Oggetto: Re: [Openvpn-announce] OpenVPN 2.4.0 released > Data: Tue, 27 Dec 2016 22:04:23 -0600 > Mittente: Michael French <Mi...@mp...> > A: Samuli Seppänen <sa...@op...> > > > > Hi Samuli, > I installed 2.4 on a couple Windows 7x64 computers and all seems well. > I even got tls-crypt to work using the old ta.key file on both client > and server. > > However, I noticed in the documentation for 2.4 that the parameter > tls-version-min is supposed to work with the 'or-highest' option, but it > does not. > > I wish that it did work because I always want to run with the most > secure version of TLS and the 'or-highest' option would save me the > trouble of manually editing the TLS number every time it changes. > I too find this option somewhat counter-intuitive. I think you can effectively get it set to the highest available version by specifying an insanely large number as the first parameter. For example, --tls-version-min 5.0 or-highest As 5.0 is larger than any available versions, the minimum will get set to the highest available (say 1.2). However, that will also make it impossible to connect to a server that doesn't support the said version. Selva