Add bracket in fingerprint message and do not warn about missing verification

Github: fixes OpenVPN/openvpn#516

Change-Id: Ia73d53002f4ba2658af18c17cce1b68f79de5781
Signed-off-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240326103853.494572-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28474.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index f2ce9264cd90541f9b5693b666deb60762ee5045..02205e7eaf504d5bd02dd96c54ba4a5a8b6d5618 100644 (file)
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -3594,7 +3594,8 @@ do_option_warnings(struct context *c)
         && !o->tls_verify
         && o->verify_x509_type == VERIFY_X509_NONE
         && !(o->ns_cert_type & NS_CERT_CHECK_SERVER)
-        && !o->remote_cert_eku)
+        && !o->remote_cert_eku
+        && !(o->verify_hash_depth == 0 && o->verify_hash))
     {
         msg(M_WARN, "WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.");
     }

diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
index c7d7799345c9f750e1016c8c22a6ea45c2aa5479..930769b7796c54bb3e726bb5c4de53c3653096c3 100644 (file)
--- a/src/openvpn/ssl_verify.c
+++ b/src/openvpn/ssl_verify.c
@@ -718,8 +718,8 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep
             const char *hex_fp = format_hex_ex(BPTR(&cert_fp), BLEN(&cert_fp),
                                                0, 1, ":", &gc);
             msg(D_TLS_ERRORS, "TLS Error: --tls-verify/--peer-fingerprint"
-                "certificate hash verification failed. (got "
-                "fingerprint: %s", hex_fp);
+                "certificate hash verification failed. (got certificate "
+                "fingerprint: %s)", hex_fp);
             goto cleanup;
         }
     }