Is there a way to set tls to v1 instead of using tls min v1.2? i have devices that cannot at the moment go to tls v1.2 so the connection broke after the openvpn upgrade
OpenVPN server was updated to have the default of tls-version-min=1.2 in Core Update 149 (Aug 2020).
TLSv1.0 and v1.1 are no longer considered secure. Searches will find lots of mentions of the various security vulnerabilities that v1.0 is exposed to.
I understand that, but as i have 40 deployed devices at 120 dollars each, its a bit of a problem just to replace them off the bat. And if i do replace them how long before that manufacturer also stops supporting the new protocols…
Its a bit of a rock and a hard place issue for me
I would have expected/hoped that the vendor would have provided an update process for the firmware, especially if you bought that quantity and price.
If your vendor has OpenVPN connectivity that can not negotiate higher than TLSv1.0 then it must be using a very old client as well, from around 2014 with a version earlier than 2.3.3
Hopefully it is not using one of the old weak/insecure encryption algorithms for the data, such as BlowFish which was the default at that time, otherwise both your Channel and Data communications have security weaknesses.
The only option you have is to then edit the tls-version-min value from 1.2 to 1.0 in the server config file
/var/ipfire/ovpn/server.conf
However, you will need to repeat this if a Core Update is carried out and also if the Save button is pressed on the OpenVPN WUI page.
1 Like
Luckily no. It supports all the encryption protocols so those are fine, but I think their openvpn client is a version from 2017. They did say that it was compatible with TLS 1.2 but upon further investigation I think they realised they implemented it incorrectly so only v1 is possible.
