App Support.

We're here to help.

Error: Unsupported TLS Protocol Detected

OpenVPN connections are split into two channels: the control channel (used for authentication and managing the VPN connection) and the data channel (the internal VPN network traffic). OpenVPN uses TLS (Transport Layer Security) to authenticate and secure the control channel, which is a cryptographic protocol designed to provide secure communication over a network.

Error Information

Over the years there have been many versions of TLS, including 1.0, 1.1, 1.2, and 1.3 (the most recent). Different versions of TLS define different security mechanisms and standards, and more importantly, remove those that are no longer considered secure. TLS 1.0 and 1.1 are considered deprecated, as they contain mechanisms and standards that are no longer secure.

By default, OpenVPN/OpenSSL will block the use of deprecated TLS protocol versions. Deprecated TLS protocols may be insecure and could potentially allow an attacker to compromise your VPN connection.

If the VPN server you are connecting to attempts to use a deprecated TLS version, then the connection attempt will fail and you'll see the message "The VPN connection was not connected as the server tried to use a deprecated or unsupported TLS protocol.". You may also see messages similar to "SSL routines::unsupported protocol" in the connection log. OpenVPN 2.6 and OpenSSL 3.0 (the versions used in Viscosity 1.11) will block the use of TLS 1.0 and 1.1 by default (TLS 1.2 or later is required).

Error After Updating Viscosity

If you recently updated your copy of Viscosity and are now seeing this error, it's because the OpenVPN server you are connecting to is using a TLS version that is now considered deprecated in the latest version of Viscosity. It likely means that the OpenVPN server is out-of-date and running an old version of OpenVPN or OpenSSL.

Older versions of Viscosity used older versions of OpenVPN and OpenSSL, and so will have accepted the older TLS protocol versions in the past.

Resolving the Error

Viscosity provides an "Allow deprecated TLS protocols for this connection" checkbox when the above error message displayed, that will allow the VPN connection to connect. This will lower OpenVPN and OpenSSL's security settings to make it compatible with older versions of OpenVPN and allow deprecated TLS protocol versions to be used.

However, this option should be used with care and considered temporary. You should immediately contact your VPN Provider and ask for them to update the OpenVPN server to the latest version of OpenVPN (and OpenSSL). This will ensure that your VPN connection is as secure as possible.

Once the OpenVPN server has been updated, you can remove the "Allow deprecated TLS protocols for this connection" setting by adjusting the Compatibility level back to "Latest" in the connection editor.

Configuration for VPN Administrators

If you are a OpenVPN administrator and understand the risks of using a deprecated TLS protocol version, and you would prefer your Viscosity users not see the above error message, you can also adjust the minimum allowed TLS version using the tls-version-min command. For example, add tls-version-min 1.0 to the configuration to allow TLS 1.0 and later to be used.