From 87356242baf10c8b2a94d9013e436ed2a0dada53 Mon Sep 17 00:00:00 2001
From: Bernhard Schmidt <berni@debian.org>
Date: Wed, 20 Feb 2019 14:11:46 +0100
Subject: New upstream version 2.4.7

---
 src/openvpn/crypto_openssl.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

(limited to 'src/openvpn/crypto_openssl.c')

diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index eae2b91..71602f3 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -199,7 +199,16 @@ crypto_print_openssl_errors(const unsigned int flags)
                 "in common with the client. Your --tls-cipher setting might be "
                 "too restrictive.");
         }
-
+        else if (ERR_GET_REASON(err) == SSL_R_UNSUPPORTED_PROTOCOL)
+        {
+            msg(D_CRYPT_ERRORS, "TLS error: Unsupported protocol. This typically "
+                 "indicates that client and server have no common TLS version enabled. "
+                 "This can be caused by mismatched tls-version-min and tls-version-max "
+                 "options on client and server. "
+                 "If your OpenVPN client is between v2.3.6 and v2.3.2 try adding "
+                 "tls-version-min 1.0 to the client configuration to use TLS 1.0+ "
+                 "instead of TLS 1.0 only");
+        }
         msg(flags, "OpenSSL: %s", ERR_error_string(err, NULL));
     }
 }
-- 
cgit v1.2.3