From e36359aa7e5193ad002768e90ae660896a5a0fa6 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Tue, 26 Mar 2024 11:38:53 +0100 Subject: [PATCH] Add bracket in fingerprint message and do not warn about missing verification Github: fixes OpenVPN/openvpn#516 Change-Id: Ia73d53002f4ba2658af18c17cce1b68f79de5781 Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20240326103853.494572-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28474.html Signed-off-by: Gert Doering (cherry picked from commit 4b95656536be1f402a55ef5dffe140fa78e7eb51) --- src/openvpn/init.c | 3 ++- src/openvpn/ssl_verify.c | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 9f43b629d..7e231ec56 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3632,7 +3632,8 @@ do_option_warnings(struct context *c) && !o->tls_verify && o->verify_x509_type == VERIFY_X509_NONE && !(o->ns_cert_type & NS_CERT_CHECK_SERVER) - && !o->remote_cert_eku) + && !o->remote_cert_eku + && !(o->verify_hash_depth == 0 && o->verify_hash)) { msg(M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info."); } diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index c7d779934..930769b77 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -718,8 +718,8 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep const char *hex_fp = format_hex_ex(BPTR(&cert_fp), BLEN(&cert_fp), 0, 1, ":", &gc); msg(D_TLS_ERRORS, "TLS Error: --tls-verify/--peer-fingerprint" - "certificate hash verification failed. (got " - "fingerprint: %s", hex_fp); + "certificate hash verification failed. (got certificate " + "fingerprint: %s)", hex_fp); goto cleanup; } } -- 2.47.3