It's disabled by default, and if you add e.g. tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 (a TLS v1.2 cipher) to your server config it silently breaks. The solution is to add tls-version-min 1.2 to both the server and client config, and then it works like a charm. OpenVPN 2.3.3 added support for v1.2, so this won't work with anything older than 2.3.3.