Hi Harold -- it's good to hear from you.
The fact that macOS High Sierra uses LibreSSL instead of OpenSSL shouldn't matter, because Tunnelblick includes its own copies of both libraries and uses them. It does not use the OpenSSL or LibreSSL provided by macOS.
Does it help that the latest Tunnelblick beta defaults to use OpenVPN 2.4 with OpenSSL? The latest stable version will also default to 2.4, too, and I expect to release it later this month.
Perhaps I should be quicker to switch the default to new versions of OpenVPN when they appear. The problem with that is that lots of people need to use older versions because their configurations are old. They tend to be the less sophisticated users, too, so often just think that a Tunnelblick update is broken when it uses a different minor version of OpenVPN (e.g. 2.2 vs. 2.1, 2.3 vs 2.2, and now 2.4 vs. 2.3) as the default. So they end up using an old version of Tunnelblick, which contains old versions of OpenSSL or LibreSSL with vulnerabilities.
That said, I will continue thinking about your suggestion, which I am interpreting as follows:
If the user specifies a specific version of OpenVPN (as opposed to the "default" or "latest" versions), and that version is not available, Tunnelblick will change to use the latest version of OpenVPN with OpenSSL if the specified version used OpenSSL, or the latest version of OpenVPN with LibreSSL if the specified version used LibreSSL.
As long as I'm doing that, I could have Tunnelblick try to use a version of OpenVPN that is the same minor version as the old version. (That is, use 2.3.18 if 2.3.17 isn't available, or 2.4.4 if 2.4.3 isn't available.)
An alternative would be splitting the "Latest" choice into "Latest with OpenSSL" and "Latest with LibreSSL". As long as I'm doing that, I'd change "Default" to "Default with OpenSSL" and add "Default with LibreSSL" for completeness. That's less automatic but more transparent about what is going on.
I'm not sure I want to do any of this, but I'll think about it.