From: Matthias Andree <matthias.andree@gmx.de>
Date: Mon, 30 Mar 2015 19:54:54 +0000 (+0200)
Subject: Manual page update for Re-enabled TLS version negotiation.
X-Git-Tag: v2.3.7~28
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ca32c1551b05bf4cead7dceae62c412886fded55;p=thirdparty%2Fopenvpn.git

Manual page update for Re-enabled TLS version negotiation.

Signed-off-by: Matthias Andree <matthias.andree@gmx.de>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1427745294-31041-1-git-send-email-matthias.andree@gmx.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9562
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index a95d353dc..1420bdd02 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -4286,16 +4286,19 @@ include "1.0", "1.1", or "1.2".  If 'or-highest' is specified
 and version is not recognized, we will only accept the highest TLS
 version supported by the local SSL implementation.
 
-If this options is not set, the code in OpenVPN 2.3.4 will default
-to using TLS 1.0 only, without any version negotiation.  This reverts
-the beaviour to what OpenVPN versions up to 2.3.2 did, as it turned
-out that TLS version negotiation can lead to handshake problems due
-to new signature algorithms in TLS 1.2.
+Also see
+.B \-\-tls-version-max
+below, for information on compatibility.
 .\"*********************************************************
 .TP
 .B \-\-tls-version-max version
 Set the maximum TLS version we will use (default is the highest version
 supported).  Examples for version include "1.0", "1.1", or "1.2".
+
+If and only if this is set to 1.0, and OpenSSL is used (not PolarSSL),
+then OpenVPN will set up OpenSSL to use a fixed TLSv1 handshake. All
+other configurations will autonegotiate in the given limits, and the
+choice of handshake versions is left to the SSL implementation.
 .\"*********************************************************
 .TP
 .B \-\-pkcs12 file