From: David Sommerseth Date: Mon, 20 Jul 2020 11:30:10 +0000 (+0200) Subject: Remove --client-cert-not-required X-Git-Tag: v2.5_beta1~45 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=08469ca1eccc5f0ba68edf5166497ac2efcb72c5;p=thirdparty%2Fopenvpn.git Remove --client-cert-not-required This removes support for the --client-cert-not-required option. To avoid starting a server with this option just ignored, which would make it impossible for existing clients to connect it will exit with instructions to replace this option with --verify-client-cert none. Signed-off-by: David Sommerseth Acked-by: Gert Doering Message-Id: <20200720113010.10450-1-davids@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20502.html Signed-off-by: Gert Doering --- diff --git a/Changes.rst b/Changes.rst index 085c16d28..136a20ddf 100644 --- a/Changes.rst +++ b/Changes.rst @@ -38,6 +38,10 @@ https://community.openvpn.net/openvpn/wiki/DeprecatedOptions This option was made into a NOOP option with OpenVPN 2.4. This has now been completely removed. +- ``--client-cert-not-required`` has been removed + This option will now cause server configurations to not start. Use + ``--verify-client-cert none`` instead. + - ``--ifconfig-pool-linear`` has been removed This option is removed. Use ``--topology p2p`` instead. diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 2221f5128..b1962ca47 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -441,8 +441,6 @@ static const char usage_message[] = " Only valid in a client-specific config file.\n" "--disable : Client is disabled.\n" " Only valid in a client-specific config file.\n" - "--client-cert-not-required : (DEPRECATED) Don't require client certificate, client\n" - " will authenticate using username/password.\n" "--verify-client-cert [none|optional|require] : perform no, optional or\n" " mandatory client certificate verification.\n" " Default is to require the client to supply a certificate.\n" @@ -2470,7 +2468,7 @@ options_postprocess_verify_ce(const struct options *options, const struct connec } if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL)) { - msg(M_USAGE, "--client-cert-not-required and --verify-client-cert require --mode server"); + msg(M_USAGE, "--verify-client-cert requires --mode server"); } if (options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) { @@ -2543,7 +2541,7 @@ options_postprocess_verify_ce(const struct options *options, const struct connec if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL)) { msg(M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION " - "--verify-client-cert none|optional (or --client-cert-not-required) " + "--verify-client-cert none|optional " "may accept clients which do not present a certificate"); } @@ -6938,8 +6936,7 @@ add_option(struct options *options, else if (streq(p[0], "client-cert-not-required") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); - options->ssl_flags |= SSLF_CLIENT_CERT_NOT_REQUIRED; - msg(M_WARN, "DEPRECATED OPTION: --client-cert-not-required, use --verify-client-cert instead"); + msg(M_FATAL, "REMOVED OPTION: --client-cert-not-required, use '--verify-client-cert none' instead"); } else if (streq(p[0], "verify-client-cert") && !p[2]) { diff --git a/src/plugins/auth-pam/README.auth-pam b/src/plugins/auth-pam/README.auth-pam index 64b3ace7f..e3ca027e1 100644 --- a/src/plugins/auth-pam/README.auth-pam +++ b/src/plugins/auth-pam/README.auth-pam @@ -60,7 +60,7 @@ is to be answered with the constant value "mydomain.com": The following OpenVPN directives can also influence the operation of this plugin: - client-cert-not-required + verify-client-cert none username-as-common-name static-challenge