mbedtls: Warn if --tls-version-min is too low

Recent versions of mbedtls only support TLS 1.2. When the minimum version is set to TLS 1.0 or 1.1, log a warning and use 1.2 as the actual minimum version. Change-Id: Ibc641388d8016533c94dfef3618376f6dfa91f4e Signed-off-by: Max Fillinger <[email protected]> Acked-by: Arne Schwabe <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg28865.html Signed-off-by: Gert Doering <[email protected]>
OpenVPN · Jul 3, 2024 · c535fa7 · c535fa7
1 parent 0ea5126
commit c535fa7
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
@@ -8942,6 +8942,15 @@ add_option(struct options *options,
             msg(msglevel, "unknown tls-version-min parameter: %s", p[1]);
             goto err;
         }
+
+#ifdef ENABLE_CRYPTO_MBEDTLS
+        if (ver < TLS_VER_1_2)
+        {
+            msg(M_WARN, "--tls-version-min %s is not supported by mbedtls, using 1.2", p[1]);
+            ver = TLS_VER_1_2;
+        }
+#endif
+
         options->ssl_flags &=
             ~(SSLF_TLS_VERSION_MIN_MASK << SSLF_TLS_VERSION_MIN_SHIFT);
         options->ssl_flags |= (ver << SSLF_TLS_VERSION_MIN_SHIFT);