From: Antonio Quartulli Date: Thu, 13 Nov 2025 21:21:38 +0000 (+0100) Subject: options: remove --opt-verify functionality X-Git-Tag: v2.7_rc2~18 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c716b3b8bf5945e326c5ac7a8b04de9c0c6a4c8f;p=thirdparty%2Fopenvpn.git options: remove --opt-verify functionality As previously agreed, the --opt-verify directive is deprecated and can be fully removed as of OpenVPN 2.7.0. GitHub: closes OpenVPN/openvpn#901 Change-Id: Ia60a393a296f23ac1090d0f2016b5682649ed490 Signed-off-by: Antonio Quartulli Acked-by: Gert Doering Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1375 Message-Id: <20251113212143.30034-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34403.html Signed-off-by: Gert Doering --- diff --git a/Changes.rst b/Changes.rst index 8bdb2b0a0..457d3a7a5 100644 --- a/Changes.rst +++ b/Changes.rst @@ -236,6 +236,9 @@ Using ``--push`` in a mode that is not ``--mode server`` will now print a ``--reneg-bytes`` and ``--reneg-packets`` do not work in DCO mode, and will now print an appropriate warning. +``--opt-verify`` feature removed + This option was already deprecated and it is now being converted to a + no-op. Using this option will only print a warning. User-visible Changes -------------------- diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index ade4d41c7..5243a060b 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -413,19 +413,6 @@ fast hardware. SSL/TLS authentication must be used in this mode. Note that this directive affects OpenVPN's internal routing table, not the kernel routing table. ---opt-verify - **DEPRECATED** Clients that connect with options that are incompatible with - those of the server will be disconnected. - - Options that will be compared for compatibility include ``dev-type``, - ``link-mtu``, ``tun-mtu``, ``proto``, ``ifconfig``, - ``comp-lzo``, ``fragment``, ``keydir``, ``cipher``, - ``auth``, ``keysize``, - ``tls-auth``, ``key-method``, ``tls-server`` - and ``tls-client``. - - This option requires that ``--disable-occ`` NOT be used. - --override-username username Sets the username of a connection to the specified username. This username will also be used by ``--auth-gen-token``. However, the overridden diff --git a/doc/man-sections/unsupported-options.rst b/doc/man-sections/unsupported-options.rst index 11467ca1b..e8e76eb8d 100644 --- a/doc/man-sections/unsupported-options.rst +++ b/doc/man-sections/unsupported-options.rst @@ -44,4 +44,8 @@ longer supported Removed in OpenVPN 2.6. We now always use the PRNG of the SSL library. --persist-key - Ignored since OpenVPN 2.7. Keys are now always persisted across restarts. \ No newline at end of file + Ignored since OpenVPN 2.7. Keys are now always persisted across restarts. + +--opt-verify + Removed in OpenVPN 2.7. This option does not make sense anymore as option + strings may not match due to the introduction of parameters negotiation. diff --git a/src/openvpn/options.c b/src/openvpn/options.c index ecf93749d..683543a8f 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -472,8 +472,6 @@ static const char usage_message[] = " OTP based two-factor auth mechanisms are in use and\n" " --reneg-* options are enabled. Optionally a lifetime in seconds\n" " for generated tokens can be set.\n" - "--opt-verify : (DEPRECATED) Clients that connect with options that are incompatible\n" - " with those of the server will be disconnected.\n" "--auth-user-pass-optional : Allow connections by clients that don't\n" " specify a username/password.\n" "--no-name-remapping : (DEPRECATED) Allow Common Name and X509 Subject to include\n" @@ -2666,7 +2664,6 @@ options_postprocess_verify_ce(const struct options *options, const struct connec "verify-client-cert"); MUST_BE_FALSE(options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME, "username-as-common-name"); MUST_BE_FALSE(options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL, "auth-user-pass-optional"); - MUST_BE_FALSE(options->ssl_flags & SSLF_OPT_VERIFY, "opt-verify"); if (options->server_flags & SF_TCP_NODELAY_HELPER) { msg(M_WARN, "WARNING: setting tcp-nodelay on the client side will not " @@ -7450,9 +7447,7 @@ add_option(struct options *options, char *p[], bool is_inline, const char *file, else if (streq(p[0], "opt-verify") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); - msg(M_INFO, "DEPRECATION: opt-verify is deprecated and will be removed " - "in OpenVPN 2.7"); - options->ssl_flags |= SSLF_OPT_VERIFY; + msg(M_INFO, "DEPRECATED OPTION: --opt-verify was removed in OpenVPN 2.7."); } else if (streq(p[0], "auth-user-pass-verify") && p[1]) { diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index d7f55dd82..896fd651e 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -2334,13 +2334,6 @@ key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_sessio #endif options_warning(options, remote_options); - - if (session->opt->ssl_flags & SSLF_OPT_VERIFY) - { - msg(D_TLS_ERRORS, - "Option inconsistency warnings triggering disconnect due to --opt-verify"); - ks->authenticated = KS_AUTH_FALSE; - } } buf_clear(buf); diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index de89d307f..23da8cf5d 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -425,7 +425,7 @@ struct tls_options #define SSLF_CLIENT_CERT_OPTIONAL (1u << 1) #define SSLF_USERNAME_AS_COMMON_NAME (1u << 2) #define SSLF_AUTH_USER_PASS_OPTIONAL (1u << 3) -#define SSLF_OPT_VERIFY (1u << 4) +/* (1u << 4) free for usage */ #define SSLF_CRL_VERIFY_DIR (1u << 5) #define SSLF_TLS_VERSION_MIN_SHIFT 6 #define SSLF_TLS_VERSION_MIN_MASK 0xFu /* (uses bit positions 6 to 9) */