On Sun, Jul 12, 2020 at 12:29:43AM -0400, Viktor Dukhovni wrote: > > The main outstanding issue for which I'm authoring a new PR, is that > each of the above results in SSL_CONF_cmd() returning an error for > contexts of the other type or for contexts that are for a specific fixed > version of TLS or DTLS, and perhaps these errors are not ignored and > cause issues with context initialisation? The update I'm writing will > be more forgiving and silently report success when the setting is not > applicable. Looking at openconnect's code, it now supports 3 ways: - DTLSv1_client_method() with DTLS1_BAD_VER. - DTLS_client_method() with DTLS1_2_VERSION - A PSK The first 2 options will overwrite the protocol min and max version, so whatever is in the config file will not have any effect. Kurt
