From: Frank Lichtenheld Date: Wed, 10 Dec 2025 08:56:20 +0000 (+0100) Subject: Correct documentation for --ns-cert-type X-Git-Tag: v2.7_rc4~16 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a0813a9d219a824196a0bc782bf7af17af027ed6;p=thirdparty%2Fopenvpn.git Correct documentation for --ns-cert-type Our documentation claimed this option was removed. But it was not, for compatiblity reasons. So reflect the correct status. Change-Id: I1d1851eaebe8bf66c92dac3c8c10f68b1ec3ef33 Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1428 Message-Id: <20251210085625.32174-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34984.html Signed-off-by: Gert Doering --- diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst index 846dfddbe..c4aa810b4 100644 --- a/doc/man-sections/tls-options.rst +++ b/doc/man-sections/tls-options.rst @@ -222,6 +222,17 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa ``--cert file`` above). URI is supported only when built with OpenSSL 3.0 or later and any required providers are loaded. (See ``--cert`` for more details). +--ns-cert-type type + **DEPRECATED** The ``--remote-cert-tls`` option should be used instead. + The option is still available since it can't be silently ignored and needs + updates to certificates and configs on both sides of the connection. + However it should not be used for new clients or servers. It depends on the + deprecated ``nsCertType`` certificate field. + + Might not work depending on the TLS library used. + + Will be removed in a future release. + --pkcs12 file Specify a PKCS #12 file containing local private key, local certificate, and root CA certificate. This option can be used instead of ``--ca``, diff --git a/doc/man-sections/unsupported-options.rst b/doc/man-sections/unsupported-options.rst index 6e773332b..b646991ff 100644 --- a/doc/man-sections/unsupported-options.rst +++ b/doc/man-sections/unsupported-options.rst @@ -44,12 +44,6 @@ longer supported VPN tunnel security. Previously we claimed to have removed this in OpenVPN 2.5, but this wasn't actually the case. ---ns-cert-type - Removed in OpenVPN 2.5. The ``nsCertType`` field is no longer supported - in recent SSL/TLS libraries. If your certificates does not include *key - usage* and *extended key usage* fields, they must be upgraded and the - ``--remote-cert-tls`` option should be used instead. - --prng Removed in OpenVPN 2.6. We now always use the PRNG of the SSL library.