[Openvpn-devel,1/3,v3] Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+

Message ID 20180119192252.6229-1-steffan@karger.me
State Superseded
Headers show
Series
  • [Openvpn-devel,1/3,v3] Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+
Related show

Commit Message

Steffan Karger Jan. 19, 2018, 7:22 p.m.
As described in <80e6b449-c536-dc87-7215-3693872bce5a@birkenwald.de> on
the openvpn-devel mailing list, --tls-version-min no longer works with
OpenSSL 1.1.  Kurt Roeckx posted in a debian bug report:

"This is marked as important because if you switch to openssl 1.1.0
the defaults minimum version in Debian is currently TLS 1.2 and
you can't override it with the options that you're currently using
(and are deprecated)."

This patch is loosely based on the original patch by Kurt, but solves the
issue by adding functions to openssl-compat.h, like we also did for all
other openssl 1.1. breakage.  This results in not having to add more ifdefs
in ssl_openssl.c and thus cleaner code.

Signed-off-by: Steffan Karger <steffan@karger.me>
---
v2: fix define name, obey system lib default minimum version
v3: add error handling, fix bug in setting default minimum

 src/openvpn/openssl_compat.h |  63 +++++++++++++++++++++++++++
 src/openvpn/ssl.c            |   5 ++-
 src/openvpn/ssl_backend.h    |   4 +-
 src/openvpn/ssl_mbedtls.c    |   3 +-
 src/openvpn/ssl_openssl.c    | 100 +++++++++++++++++++++++++++----------------
 5 files changed, 136 insertions(+), 39 deletions(-)

Comments

Selva Nair Jan. 19, 2018, 8:56 p.m. | #1
Hi,

Thanks for the v3.

All good except (sorry to say that :)

The compat versions of SSL_CTX_get_max_proto_version and its min counterpart
should return a long or int not void. Assuming we want to continue
supporting
openssl 1.0.

This was not an issue earlier when return value was not checked. Anyway,
the correct
signature of the 1.1 functions (well macros) it replaces is long.

I should have pointed this out earlier...

There is one more thing that I'm not sure of. See below.

On Fri, Jan 19, 2018 at 2:22 PM, Steffan Karger <steffan@karger.me> wrote:

> As described in <80e6b449-c536-dc87-7215-3693872bce5a@birkenwald.de> on
> the openvpn-devel mailing list, --tls-version-min no longer works with
> OpenSSL 1.1.  Kurt Roeckx posted in a debian bug report:
>
> "This is marked as important because if you switch to openssl 1.1.0
> the defaults minimum version in Debian is currently TLS 1.2 and
> you can't override it with the options that you're currently using
> (and are deprecated)."
>
> This patch is loosely based on the original patch by Kurt, but solves the
> issue by adding functions to openssl-compat.h, like we also did for all
> other openssl 1.1. breakage.  This results in not having to add more ifdefs
> in ssl_openssl.c and thus cleaner code.
>
> Signed-off-by: Steffan Karger <steffan@karger.me>
> ---
> v2: fix define name, obey system lib default minimum version
> v3: add error handling, fix bug in setting default minimum
>
>  src/openvpn/openssl_compat.h |  63 +++++++++++++++++++++++++++
>  src/openvpn/ssl.c            |   5 ++-
>  src/openvpn/ssl_backend.h    |   4 +-
>  src/openvpn/ssl_mbedtls.c    |   3 +-
>  src/openvpn/ssl_openssl.c    | 100 +++++++++++++++++++++++++++---
> -------------
>  5 files changed, 136 insertions(+), 39 deletions(-)
>
> diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
> index 05ec4e95..4931fad3 100644
> --- a/src/openvpn/openssl_compat.h
> +++ b/src/openvpn/openssl_compat.h
> @@ -661,4 +661,67 @@ EC_GROUP_order_bits(const EC_GROUP *group)
>  #define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT       RSA_F_RSA_EAY_PRIVATE_ENCRYPT
>  #endif
>
> +#ifndef SSL_CTX_get_min_proto_version
> +/** Dummy SSL_CTX_get_min_proto_version for OpenSSL < 1.1 (not really
> needed) */
> +static inline int
> +SSL_CTX_get_min_proto_version(SSL_CTX *ctx)
> +{
> +    return 0;
> +}
> +#endif /* SSL_CTX_get_min_proto_version */
> +
> +#ifndef SSL_CTX_set_min_proto_version
> +/** Mimics SSL_CTX_set_min_proto_version for OpenSSL < 1.1 */
> +static inline void
> +SSL_CTX_set_min_proto_version(SSL_CTX *ctx, long tls_ver_min)
>

static inline long (or int)
...


> +{
> +    long sslopt = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; /* Never do < TLS
> 1.0 */
> +
> +    if (tls_ver_min > TLS1_VERSION)
> +    {
> +        sslopt |= SSL_OP_NO_TLSv1;
> +    }
> +#ifdef SSL_OP_NO_TLSv1_1
> +    if (tls_ver_min > TLS1_1_VERSION)
> +    {
> +        sslopt |= SSL_OP_NO_TLSv1_1;
> +    }
> +#endif
> +#ifdef SSL_OP_NO_TLSv1_2
> +    if (tls_ver_min > TLS1_2_VERSION)
> +    {
> +        sslopt |= SSL_OP_NO_TLSv1_2;
> +    }
> +#endif
> +    SSL_CTX_set_options(ctx, sslopt);
>

return 1;


> +}
> +#endif /* SSL_CTX_set_min_proto_version */
> +
> +#ifndef SSL_CTX_set_max_proto_version
> +/** Mimics SSL_CTX_set_max_proto_version for OpenSSL < 1.1 */
> +static inline void
> +SSL_CTX_set_max_proto_version(SSL_CTX *ctx, long tls_ver_max)
>

static inline long (or int)
...


> +{
> +    long sslopt = 0;
> +
> +    if (tls_ver_max < TLS1_VERSION)
> +    {
> +        sslopt |= SSL_OP_NO_TLSv1;
> +    }
> +#ifdef SSL_OP_NO_TLSv1_1
> +    if (tls_ver_max < TLS1_1_VERSION)
> +    {
> +        sslopt |= SSL_OP_NO_TLSv1_1;
> +    }
> +#endif
> +#ifdef SSL_OP_NO_TLSv1_2
> +    if (tls_ver_max < TLS1_2_VERSION)
> +    {
> +        sslopt |= SSL_OP_NO_TLSv1_2;
> +    }
> +#endif
> +    SSL_CTX_set_options(ctx, sslopt);
>

return 1;


> +}
> +#endif /* SSL_CTX_set_max_proto_version */
> +
>

...

+/** Convert internal version number to openssl version number */
> +static int
> +openssl_tls_version(int ver)
> +{
> +    if (ver == TLS_VER_1_0)
> +    {
> +        return TLS1_VERSION;
> +    }
> +    else if (ver == TLS_VER_1_1)
> +    {
> +        return TLS1_1_VERSION;
> +    }
> +    else if (ver == TLS_VER_1_2)
> +    {
> +        return TLS1_2_VERSION;
> +    }
> +    return 0;
> +}


TLS1_2_VERSION may not be defined in openssl prior to 1.0.1, would it?
Is that a problem? Do we still support 0.9.8 etc? I'm lazy to check this
myself.

The rest is good.

Selva
<div dir="ltr">Hi,<div><br></div><div>Thanks for the v3.</div><div><br></div><div>All good except (sorry to say that :)</div><div><br></div><div>The compat versions of SSL_CTX_get_max_proto_version and its min counterpart</div><div class="gmail_extra">should return a long or int not void. Assuming we want to continue supporting </div><div class="gmail_extra">openssl 1.0.</div><div class="gmail_extra"><br></div><div class="gmail_extra">This was not an issue earlier when return value was not checked. Anyway, the correct</div><div class="gmail_extra">signature of the 1.1 functions (well macros) it replaces is long.</div><div class="gmail_extra"><br></div><div class="gmail_extra">I should have pointed this out earlier...</div><div class="gmail_extra"><br></div><div class="gmail_extra">There is one more thing that I&#39;m not sure of. See below.</div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jan 19, 2018 at 2:22 PM, Steffan Karger <span dir="ltr">&lt;<a href="mailto:steffan@karger.me" target="_blank">steffan@karger.me</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="gmail-">As described in &lt;<a href="mailto:80e6b449-c536-dc87-7215-3693872bce5a@birkenwald.de">80e6b449-c536-dc87-7215-<wbr>3693872bce5a@birkenwald.de</a>&gt; on<br>
the openvpn-devel mailing list, --tls-version-min no longer works with<br>
OpenSSL 1.1.  Kurt Roeckx posted in a debian bug report:<br>
<br>
</span><span class="gmail-">&quot;This is marked as important because if you switch to openssl 1.1.0<br>
the defaults minimum version in Debian is currently TLS 1.2 and<br>
you can&#39;t override it with the options that you&#39;re currently using<br>
(and are deprecated).&quot;<br>
<br>
This patch is loosely based on the original patch by Kurt, but solves the<br>
issue by adding functions to openssl-compat.h, like we also did for all<br>
other openssl 1.1. breakage.  This results in not having to add more ifdefs<br>
in ssl_openssl.c and thus cleaner code.<br>
<br>
Signed-off-by: Steffan Karger &lt;<a href="mailto:steffan@karger.me">steffan@karger.me</a>&gt;<br>
---<br>
v2: fix define name, obey system lib default minimum version<br>
</span>v3: add error handling, fix bug in setting default minimum<br>
<br>
 src/openvpn/openssl_compat.h |  63 +++++++++++++++++++++++++++<br>
 src/openvpn/ssl.c            |   5 ++-<br>
 src/openvpn/ssl_backend.h    |   4 +-<br>
 src/openvpn/ssl_mbedtls.c    |   3 +-<br>
 src/openvpn/ssl_openssl.c    | 100 +++++++++++++++++++++++++++---<wbr>-------------<br>
 5 files changed, 136 insertions(+), 39 deletions(-)<br>
<br>
diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h<br>
index 05ec4e95..4931fad3 100644<br>
--- a/src/openvpn/openssl_compat.h<br>
+++ b/src/openvpn/openssl_compat.h<br>
@@ -661,4 +661,67 @@ EC_GROUP_order_bits(const EC_GROUP *group)<br>
<div><div class="gmail-h5"> #define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT       RSA_F_RSA_EAY_PRIVATE_ENCRYPT<br>
 #endif<br>
<br>
+#ifndef SSL_CTX_get_min_proto_version<br>
+/** Dummy SSL_CTX_get_min_proto_version for OpenSSL &lt; 1.1 (not really needed) */<br>
+static inline int<br>
+SSL_CTX_get_min_proto_<wbr>version(SSL_CTX *ctx)<br>
+{<br>
+    return 0;<br>
+}<br>
+#endif /* SSL_CTX_get_min_proto_version */<br>
+<br>
+#ifndef SSL_CTX_set_min_proto_version<br>
+/** Mimics SSL_CTX_set_min_proto_version for OpenSSL &lt; 1.1 */<br>
+static inline void<br>
+SSL_CTX_set_min_proto_<wbr>version(SSL_CTX *ctx, long tls_ver_min)<br></div></div></blockquote><div><br></div><div>static inline long (or int)</div><div>...</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div class="gmail-h5">
+{<br>
+    long sslopt = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; /* Never do &lt; TLS 1.0 */<br>
+<br>
+    if (tls_ver_min &gt; TLS1_VERSION)<br>
+    {<br>
+        sslopt |= SSL_OP_NO_TLSv1;<br>
+    }<br>
+#ifdef SSL_OP_NO_TLSv1_1<br>
+    if (tls_ver_min &gt; TLS1_1_VERSION)<br>
+    {<br>
+        sslopt |= SSL_OP_NO_TLSv1_1;<br>
+    }<br>
+#endif<br>
+#ifdef SSL_OP_NO_TLSv1_2<br>
+    if (tls_ver_min &gt; TLS1_2_VERSION)<br>
+    {<br>
+        sslopt |= SSL_OP_NO_TLSv1_2;<br>
+    }<br>
+#endif<br>
+    SSL_CTX_set_options(ctx, sslopt);<br></div></div></blockquote><div><br></div><div>return 1;</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div class="gmail-h5">
+}<br>
+#endif /* SSL_CTX_set_min_proto_version */<br>
+<br>
+#ifndef SSL_CTX_set_max_proto_version<br>
+/** Mimics SSL_CTX_set_max_proto_version for OpenSSL &lt; 1.1 */<br>
+static inline void<br>
+SSL_CTX_set_max_proto_<wbr>version(SSL_CTX *ctx, long tls_ver_max)<br></div></div></blockquote><div><br></div><div>static inline long (or int)</div><div>...</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div class="gmail-h5">
+{<br>
+    long sslopt = 0;<br>
+<br>
+    if (tls_ver_max &lt; TLS1_VERSION)<br>
+    {<br>
+        sslopt |= SSL_OP_NO_TLSv1;<br>
+    }<br>
+#ifdef SSL_OP_NO_TLSv1_1<br>
+    if (tls_ver_max &lt; TLS1_1_VERSION)<br>
+    {<br>
+        sslopt |= SSL_OP_NO_TLSv1_1;<br>
+    }<br>
+#endif<br>
+#ifdef SSL_OP_NO_TLSv1_2<br>
+    if (tls_ver_max &lt; TLS1_2_VERSION)<br>
+    {<br>
+        sslopt |= SSL_OP_NO_TLSv1_2;<br>
+    }<br>
+#endif<br>
+    SSL_CTX_set_options(ctx, sslopt);<br>
</div></div></blockquote><div><br></div><div>return 1;</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div class="gmail-h5">+}<br>
+#endif /* SSL_CTX_set_max_proto_version */<br>
+</div></div></blockquote><div><br></div><div>...</div><div><br></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">+/** Convert internal version number to openssl version number */<br>+static int<br>+openssl_tls_version(int ver)<br>+{<br>+    if (ver == TLS_VER_1_0)<br>+    {<br>+        return TLS1_VERSION;<br>+    }<br>+    else if (ver == TLS_VER_1_1)<br>+    {<br>+        return TLS1_1_VERSION;<br>+    }<br>+    else if (ver == TLS_VER_1_2)<br>+    {<br>+        return TLS1_2_VERSION;<br>+    }<br>+    return 0;<br>+}</blockquote></div><div><br></div><div>TLS1_2_VERSION may not be defined in openssl prior to 1.0.1, would it?<br></div><div>Is that a problem? Do we still support 0.9.8 etc? I&#39;m lazy to check this myself.</div><div><br></div><div>The rest is good.</div><div><br></div><div>Selva </div></div></div></div>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Steffan Karger Jan. 19, 2018, 9:12 p.m. | #2
Hi,

On 19-01-18 21:56, Selva Nair wrote:
> Thanks for the v3.
> 
> All good except (sorry to say that :)
> 
> The compat versions of SSL_CTX_get_max_proto_version and its min counterpart
> should return a long or int not void. Assuming we want to continue
> supporting 
> openssl 1.0.
> 
> This was not an issue earlier when return value was not checked. Anyway,
> the correct
> signature of the 1.1 functions (well macros) it replaces is long.
> 
> I should have pointed this out earlier...

Gah, no, I should have thought about that before sending the patch.  Not
enough brains left on Friday night I guess...  v4 coming.

> There is one more thing that I'm not sure of. See below.
> 
> On Fri, Jan 19, 2018 at 2:22 PM, Steffan Karger <steffan@karger.me
> <mailto:steffan@karger.me>> wrote:
> 
>     As described in <80e6b449-c536-dc87-7215-3693872bce5a@birkenwald.de
>     <mailto:80e6b449-c536-dc87-7215-3693872bce5a@birkenwald.de>> on
>     the openvpn-devel mailing list, --tls-version-min no longer works with
>     OpenSSL 1.1.  Kurt Roeckx posted in a debian bug report:
> 
>     "This is marked as important because if you switch to openssl 1.1.0
>     the defaults minimum version in Debian is currently TLS 1.2 and
>     you can't override it with the options that you're currently using
>     (and are deprecated)."
> 
>     This patch is loosely based on the original patch by Kurt, but
>     solves the
>     issue by adding functions to openssl-compat.h, like we also did for all
>     other openssl 1.1. breakage.  This results in not having to add more
>     ifdefs
>     in ssl_openssl.c and thus cleaner code.
> 
>     Signed-off-by: Steffan Karger <steffan@karger.me
>     <mailto:steffan@karger.me>>
>     ---
>     v2: fix define name, obey system lib default minimum version
>     v3: add error handling, fix bug in setting default minimum
> 
>      src/openvpn/openssl_compat.h |  63 +++++++++++++++++++++++++++
>      src/openvpn/ssl.c            |   5 ++-
>      src/openvpn/ssl_backend.h    |   4 +-
>      src/openvpn/ssl_mbedtls.c    |   3 +-
>      src/openvpn/ssl_openssl.c    | 100
>     +++++++++++++++++++++++++++----------------
>      5 files changed, 136 insertions(+), 39 deletions(-)
> 
>     diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
>     index 05ec4e95..4931fad3 100644
>     --- a/src/openvpn/openssl_compat.h
>     +++ b/src/openvpn/openssl_compat.h
>     @@ -661,4 +661,67 @@ EC_GROUP_order_bits(const EC_GROUP *group)
>      #define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT     
>      RSA_F_RSA_EAY_PRIVATE_ENCRYPT
>      #endif
> 
>     +#ifndef SSL_CTX_get_min_proto_version
>     +/** Dummy SSL_CTX_get_min_proto_version for OpenSSL < 1.1 (not
>     really needed) */
>     +static inline int
>     +SSL_CTX_get_min_proto_version(SSL_CTX *ctx)
>     +{
>     +    return 0;
>     +}
>     +#endif /* SSL_CTX_get_min_proto_version */
>     +
>     +#ifndef SSL_CTX_set_min_proto_version
>     +/** Mimics SSL_CTX_set_min_proto_version for OpenSSL < 1.1 */
>     +static inline void
>     +SSL_CTX_set_min_proto_version(SSL_CTX *ctx, long tls_ver_min)
> 
> 
> static inline long (or int)
> ...
>  
> 
>     +{
>     +    long sslopt = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; /* Never do <
>     TLS 1.0 */
>     +
>     +    if (tls_ver_min > TLS1_VERSION)
>     +    {
>     +        sslopt |= SSL_OP_NO_TLSv1;
>     +    }
>     +#ifdef SSL_OP_NO_TLSv1_1
>     +    if (tls_ver_min > TLS1_1_VERSION)
>     +    {
>     +        sslopt |= SSL_OP_NO_TLSv1_1;
>     +    }
>     +#endif
>     +#ifdef SSL_OP_NO_TLSv1_2
>     +    if (tls_ver_min > TLS1_2_VERSION)
>     +    {
>     +        sslopt |= SSL_OP_NO_TLSv1_2;
>     +    }
>     +#endif
>     +    SSL_CTX_set_options(ctx, sslopt);
> 
> 
> return 1;
>  
> 
>     +}
>     +#endif /* SSL_CTX_set_min_proto_version */
>     +
>     +#ifndef SSL_CTX_set_max_proto_version
>     +/** Mimics SSL_CTX_set_max_proto_version for OpenSSL < 1.1 */
>     +static inline void
>     +SSL_CTX_set_max_proto_version(SSL_CTX *ctx, long tls_ver_max)
> 
> 
> static inline long (or int)
> ...
>  
> 
>     +{
>     +    long sslopt = 0;
>     +
>     +    if (tls_ver_max < TLS1_VERSION)
>     +    {
>     +        sslopt |= SSL_OP_NO_TLSv1;
>     +    }
>     +#ifdef SSL_OP_NO_TLSv1_1
>     +    if (tls_ver_max < TLS1_1_VERSION)
>     +    {
>     +        sslopt |= SSL_OP_NO_TLSv1_1;
>     +    }
>     +#endif
>     +#ifdef SSL_OP_NO_TLSv1_2
>     +    if (tls_ver_max < TLS1_2_VERSION)
>     +    {
>     +        sslopt |= SSL_OP_NO_TLSv1_2;
>     +    }
>     +#endif
>     +    SSL_CTX_set_options(ctx, sslopt);
> 
> 
> return 1;
>  
> 
>     +}
>     +#endif /* SSL_CTX_set_max_proto_version */0
>     +
> 
> 
> ...
> 
>     +/** Convert internal version number to openssl version number */
>     +static int
>     +openssl_tls_version(int ver)
>     +{
>     +    if (ver == TLS_VER_1_0)
>     +    {
>     +        return TLS1_VERSION;
>     +    }
>     +    else if (ver == TLS_VER_1_1)
>     +    {
>     +        return TLS1_1_VERSION;
>     +    }
>     +    else if (ver == TLS_VER_1_2)
>     +    {
>     +        return TLS1_2_VERSION;
>     +    }
>     +    return 0;
>     +}
> 
> 
> TLS1_2_VERSION may not be defined in openssl prior to 1.0.1, would it?
> Is that a problem? Do we still support 0.9.8 etc? I'm lazy to check this
> myself.

The defines are already present in 0.9.8, and our master branch (which
should get this patch first) only supports openssl 1.0.1 and newer.
I'll need to double-check everything before cherry-picking to
release/2.4 though.  Let's first see if I can manage to send a correct
patch for master...

Now testing the v4 against both 1.0.1 and 1.1.0, and will send to the ml
soon.

Thanks!

-Steffan

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

Patch

diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
index 05ec4e95..4931fad3 100644
--- a/src/openvpn/openssl_compat.h
+++ b/src/openvpn/openssl_compat.h
@@ -661,4 +661,67 @@  EC_GROUP_order_bits(const EC_GROUP *group)
 #define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT       RSA_F_RSA_EAY_PRIVATE_ENCRYPT
 #endif
 
+#ifndef SSL_CTX_get_min_proto_version
+/** Dummy SSL_CTX_get_min_proto_version for OpenSSL < 1.1 (not really needed) */
+static inline int
+SSL_CTX_get_min_proto_version(SSL_CTX *ctx)
+{
+    return 0;
+}
+#endif /* SSL_CTX_get_min_proto_version */
+
+#ifndef SSL_CTX_set_min_proto_version
+/** Mimics SSL_CTX_set_min_proto_version for OpenSSL < 1.1 */
+static inline void
+SSL_CTX_set_min_proto_version(SSL_CTX *ctx, long tls_ver_min)
+{
+    long sslopt = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; /* Never do < TLS 1.0 */
+
+    if (tls_ver_min > TLS1_VERSION)
+    {
+        sslopt |= SSL_OP_NO_TLSv1;
+    }
+#ifdef SSL_OP_NO_TLSv1_1
+    if (tls_ver_min > TLS1_1_VERSION)
+    {
+        sslopt |= SSL_OP_NO_TLSv1_1;
+    }
+#endif
+#ifdef SSL_OP_NO_TLSv1_2
+    if (tls_ver_min > TLS1_2_VERSION)
+    {
+        sslopt |= SSL_OP_NO_TLSv1_2;
+    }
+#endif
+    SSL_CTX_set_options(ctx, sslopt);
+}
+#endif /* SSL_CTX_set_min_proto_version */
+
+#ifndef SSL_CTX_set_max_proto_version
+/** Mimics SSL_CTX_set_max_proto_version for OpenSSL < 1.1 */
+static inline void
+SSL_CTX_set_max_proto_version(SSL_CTX *ctx, long tls_ver_max)
+{
+    long sslopt = 0;
+
+    if (tls_ver_max < TLS1_VERSION)
+    {
+        sslopt |= SSL_OP_NO_TLSv1;
+    }
+#ifdef SSL_OP_NO_TLSv1_1
+    if (tls_ver_max < TLS1_1_VERSION)
+    {
+        sslopt |= SSL_OP_NO_TLSv1_1;
+    }
+#endif
+#ifdef SSL_OP_NO_TLSv1_2
+    if (tls_ver_max < TLS1_2_VERSION)
+    {
+        sslopt |= SSL_OP_NO_TLSv1_2;
+    }
+#endif
+    SSL_CTX_set_options(ctx, sslopt);
+}
+#endif /* SSL_CTX_set_max_proto_version */
+
 #endif /* OPENSSL_COMPAT_H_ */
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 7b428455..6c27050f 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -622,7 +622,10 @@  init_ssl(const struct options *options, struct tls_root_ctx *new_ctx)
      * cipher restrictions before loading certificates */
     tls_ctx_restrict_ciphers(new_ctx, options->cipher_list);
 
-    tls_ctx_set_options(new_ctx, options->ssl_flags);
+    if (!tls_ctx_set_options(new_ctx, options->ssl_flags))
+    {
+        goto err;
+    }
 
     if (options->pkcs12_file)
     {
diff --git a/src/openvpn/ssl_backend.h b/src/openvpn/ssl_backend.h
index 7cf5d830..444fb2f9 100644
--- a/src/openvpn/ssl_backend.h
+++ b/src/openvpn/ssl_backend.h
@@ -162,8 +162,10 @@  bool tls_ctx_initialised(struct tls_root_ctx *ctx);
  *
  * @param ctx           TLS context to set options on
  * @param ssl_flags     SSL flags to set
+ *
+ * @return true on success, false otherwise.
  */
-void tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags);
+bool tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags);
 
 /**
  * Restrict the list of ciphers that can be used within the TLS context.
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index 8ac52d55..d503162a 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -206,9 +206,10 @@  key_state_export_keying_material(struct key_state_ssl *ssl,
 {
 }
 
-void
+bool
 tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags)
 {
+    return true;
 }
 
 static const char *
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 86318d4c..50d68280 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -206,16 +206,65 @@  info_callback(INFO_CALLBACK_SSL_CONST SSL *s, int where, int ret)
 int
 tls_version_max(void)
 {
-#if defined(SSL_OP_NO_TLSv1_2)
+#if defined(TLS1_2_VERSION) || defined(SSL_OP_NO_TLSv1_2)
     return TLS_VER_1_2;
-#elif defined(SSL_OP_NO_TLSv1_1)
+#elif defined(TLS1_1_VERSION) || defined(SSL_OP_NO_TLSv1_1)
     return TLS_VER_1_1;
 #else
     return TLS_VER_1_0;
 #endif
 }
 
-void
+/** Convert internal version number to openssl version number */
+static int
+openssl_tls_version(int ver)
+{
+    if (ver == TLS_VER_1_0)
+    {
+        return TLS1_VERSION;
+    }
+    else if (ver == TLS_VER_1_1)
+    {
+        return TLS1_1_VERSION;
+    }
+    else if (ver == TLS_VER_1_2)
+    {
+        return TLS1_2_VERSION;
+    }
+    return 0;
+}
+
+static bool
+tls_ctx_set_tls_versions(struct tls_root_ctx *ctx, unsigned int ssl_flags)
+{
+    int tls_ver_min = openssl_tls_version(
+        (ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) & SSLF_TLS_VERSION_MIN_MASK);
+    int tls_ver_max = openssl_tls_version(
+        (ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK);
+
+    if (!tls_ver_min)
+    {
+        /* Enforce at least TLS 1.0 */
+        int cur_min = SSL_CTX_get_min_proto_version(ctx->ctx);
+        tls_ver_min = cur_min < TLS1_VERSION ? TLS1_VERSION : cur_min;
+    }
+
+    if (!SSL_CTX_set_min_proto_version(ctx->ctx, tls_ver_min))
+    {
+        msg(D_TLS_ERRORS, "%s: failed to set minimum TLS version", __func__);
+        return false;
+    }
+
+    if (tls_ver_max && !SSL_CTX_set_max_proto_version(ctx->ctx, tls_ver_max))
+    {
+        msg(D_TLS_ERRORS, "%s: failed to set maximum TLS version", __func__);
+        return false;
+    }
+
+    return true;
+}
+
+bool
 tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags)
 {
     ASSERT(NULL != ctx);
@@ -223,41 +272,18 @@  tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags)
     /* default certificate verification flags */
     int flags = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
 
-    /* process SSL options including minimum TLS version we will accept from peer */
-    {
-        long sslopt = SSL_OP_SINGLE_DH_USE | SSL_OP_NO_TICKET | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
-        int tls_ver_max = TLS_VER_UNSPEC;
-        const int tls_ver_min =
-            (ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) & SSLF_TLS_VERSION_MIN_MASK;
-
-        tls_ver_max =
-            (ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK;
-        if (tls_ver_max <= TLS_VER_UNSPEC)
-        {
-            tls_ver_max = tls_version_max();
-        }
-
-        if (tls_ver_min > TLS_VER_1_0 || tls_ver_max < TLS_VER_1_0)
-        {
-            sslopt |= SSL_OP_NO_TLSv1;
-        }
-#ifdef SSL_OP_NO_TLSv1_1
-        if (tls_ver_min > TLS_VER_1_1 || tls_ver_max < TLS_VER_1_1)
-        {
-            sslopt |= SSL_OP_NO_TLSv1_1;
-        }
-#endif
-#ifdef SSL_OP_NO_TLSv1_2
-        if (tls_ver_min > TLS_VER_1_2 || tls_ver_max < TLS_VER_1_2)
-        {
-            sslopt |= SSL_OP_NO_TLSv1_2;
-        }
-#endif
+    /* process SSL options */
+    long sslopt = SSL_OP_SINGLE_DH_USE | SSL_OP_NO_TICKET;
 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
-        sslopt |= SSL_OP_CIPHER_SERVER_PREFERENCE;
+    sslopt |= SSL_OP_CIPHER_SERVER_PREFERENCE;
 #endif
-        sslopt |= SSL_OP_NO_COMPRESSION;
-        SSL_CTX_set_options(ctx->ctx, sslopt);
+    sslopt |= SSL_OP_NO_COMPRESSION;
+
+    SSL_CTX_set_options(ctx->ctx, sslopt);
+
+    if (!tls_ctx_set_tls_versions(ctx, ssl_flags))
+    {
+        return false;
     }
 
 #ifdef SSL_MODE_RELEASE_BUFFERS
@@ -280,6 +306,8 @@  tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags)
     SSL_CTX_set_verify(ctx->ctx, flags, verify_callback);
 
     SSL_CTX_set_info_callback(ctx->ctx, info_callback);
+
+    return true;
 }
 
 void