Despite trying to figure out with multiple people what the use case for
this option is, we could not come up with a good one. Checking that only
a specific CA is used can be also done by only using that CA in the --ca
directive.
Although it feels a bit strange to deprecate the option after improving
it with peer-fingerprint patches, all the improvements are needed for
--peer-fingerprint and making them specify to --peer-fingerprint would
have added more (unecessary) changes.
Patch v3: rebased on v3 version of other patches.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <
20210322091621.7864-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21779.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This was a very limited and not-well-tested way to run OpenVPN, on TCP
and TAP mode only.
+``verify-hash`` has been deprecated
+ This option has very limited usefulness and should be replaced by either
+ a better ``--ca`` configuration or with a ``--tls-verify`` script.
Overview of changes in 2.5
==========================
:code:`1.2`.
--verify-hash args
- Specify SHA1 or SHA256 fingerprint for level-1 cert.
+ **DEPRECATED** Specify SHA1 or SHA256 fingerprint for level-1 cert.
Valid syntax:
::
int verify_hash_depth = 0;
if (streq(p[0], "verify-hash"))
{
+ msg(M_WARN, "DEPRECATED OPTION: The option --verify-hash is deprecated. "
+ "You should switch to the either use the level 1 certificate as "
+ "--ca option, use --tls-verify or use --peer-fingerprint");
/* verify level 1 cert, i.e. the CA that signed the leaf cert */
verify_hash_depth = 1;
}
if ((!p[2] && !is_inline) || (p[2] && streq(p[2], "SHA1")))
{
options->verify_hash_algo = MD_SHA1;
- msg(M_WARN, "DEPRECATED FEATURE: Usage of SHA1 fingerprints for "
- "verify-hash is deprecated. You should switch to SHA256.");
options->verify_hash_algo = SHA_DIGEST_LENGTH;
digest_len = SHA_DIGEST_LENGTH;
}
projects / thirdparty / openvpn.git / commitdiff
