From: David Sommerseth Date: Wed, 28 Jun 2017 19:15:38 +0000 (+0200) Subject: doc: The CRL processing is not a deprecated feature X-Git-Tag: v2.5_beta1~642 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f9ebfe1b5a011e55fb87a5026b1897c8ffb8f75e;p=thirdparty%2Fopenvpn.git doc: The CRL processing is not a deprecated feature The note related to the CRL processing was somehow put into the deprecated section. This is quite confusing. Since this is a fairly important change, and there have been a noticable amount of supports questions related to OpenVPN not starting due to CRL errors, I put this into the "New features" section labelled as an improvement. Otherwise I fear this would drown in the list of "User-visible Changes" later on. Signed-off-by: David Sommerseth Acked-by: Steffan Karger Message-Id: <20170628191538.9135-1-davids@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14985.html Signed-off-by: Gert Doering --- diff --git a/Changes.rst b/Changes.rst index 9db0a451b..0b2b04ddb 100644 --- a/Changes.rst +++ b/Changes.rst @@ -44,6 +44,13 @@ ECDH key exchange The TLS control channel now supports for elliptic curve diffie-hellmann key exchange (ECDH). +Improved Certificate Revocation List (CRL) processing + CRLs are now handled by the crypto library (OpenSSL or mbed TLS), instead + of inside OpenVPN itself. The crypto library implementations are more + strict than the OpenVPN implementation was. This might reject peer + certificates that would previously be accepted. If this occurs, OpenVPN + will log the crypto library's error description. + Dualstack round-robin DNS client connect Instead of only using the first address of each ``--remote`` OpenVPN will now try all addresses (IPv6 and IPv4) of a ``--remote`` entry. @@ -160,12 +167,6 @@ Deprecated features will then use ``--key-method 2`` by default. Note that this requires changing the option in both the client and server side configs. -- CRLs are now handled by the crypto library (OpenSSL or mbed TLS), instead of - inside OpenVPN itself. The crypto library implementations are more strict - than the OpenVPN implementation was. This might reject peer certificates - that would previously be accepted. If this occurs, OpenVPN will log the - crypto library's error description. - - ``--tls-remote`` is removed in 2.4, as indicated in the 2.3 man-pages. Similar functionality is provided via ``--verify-x509-name``, which does the same job in a better way.