From 57637d0f677d824dacdc83d858357ccc80723f45 Mon Sep 17 00:00:00 2001 From: Steffan Karger Date: Sat, 4 Mar 2017 19:49:57 +0100 Subject: [PATCH] Deprecate --ns-cert-type The nsCertType x509 extension is very old, and barely used. We already have had an alternative for a long time: --remote-cert-tls uses the far more common keyUsage and extendedKeyUsage extensions instead. OpenSSL 1.1 longer exposes an API to (separately) check the nsCertType x509 extension. Since we want be able to migrate to OpenSSL 1.1, we should deprecate this option immediately. Signed-off-by: Steffan Karger Acked-by: Gert Doering Message-Id: <1488653397-2309-1-git-send-email-steffan@karger.me> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14222.html Signed-off-by: Gert Doering (cherry picked from commit 2dc332266449d5378f1fe04f950cbebf128ec9c9) --- Changes.rst | 13 +++++++++++-- doc/openvpn.8 | 8 ++++++-- src/openvpn/init.c | 4 ++++ src/openvpn/options.c | 4 ++-- tests/t_client.rc-sample | 2 +- 5 files changed, 24 insertions(+), 7 deletions(-) diff --git a/Changes.rst b/Changes.rst index 7ffd89e0e..0af29e327 100644 --- a/Changes.rst +++ b/Changes.rst @@ -1,5 +1,5 @@ -Version 2.4.0 -============= +Overview of changes in 2.4 +========================== New features @@ -302,3 +302,12 @@ Maintainer-visible changes header combinations. In most of these situations it is recommended to use -std=gnu99 in CFLAGS. This is known to be needed when doing i386/i686 builds on RHEL5. + + +Version 2.4.1 +============= + - ``--ns-cert-type`` is deprecated. Use ``--remote-cert-tls`` instead. + The nsCertType x509 extension is very old, and barely used. + ``--remote-cert-tls`` uses the far more common keyUsage and extendedKeyUsage + extension instead. Make sure your certificates carry these to be able to + use ``--remote-cert-tls``. diff --git a/doc/openvpn.8 b/doc/openvpn.8 index e3d603e12..f6822ec71 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -327,7 +327,7 @@ http\-proxy 192.168.0.8 8080 persist\-key persist\-tun pkcs12 client.p12 -ns\-cert\-type server +remote\-cert\-tls server verb 3 .in -4 .ft @@ -5313,7 +5313,11 @@ as X509__=. Multiple options can be defined to track multiple attributes. .\"********************************************************* .TP -.B \-\-ns\-cert\-type client|server +.B \-\-ns\-cert\-type client|server (DEPRECATED) +This option is deprecated. Use the more modern equivalent +.B \-\-remote\-cert\-tls +instead. This option will be removed in OpenVPN 2.5. + Require that peer certificate was signed with an explicit .B nsCertType designation of "client" or "server". diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 8f9578d09..c7e6fd1ae 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3004,6 +3004,10 @@ do_option_warnings(struct context *c) { msg(M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info."); } + if (o->ns_cert_type) + { + msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead."); + } #endif /* ifdef ENABLE_CRYPTO */ /* If a script is used, print appropiate warnings */ diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 6682bb76b..a104bb075 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -636,8 +636,8 @@ static const char usage_message[] = "--verify-x509-name name: Accept connections only from a host with X509 subject\n" " DN name. The remote host must also pass all other tests\n" " of verification.\n" - "--ns-cert-type t: Require that peer certificate was signed with an explicit\n" - " nsCertType designation t = 'client' | 'server'.\n" + "--ns-cert-type t: (DEPRECATED) Require that peer certificate was signed with \n" + " an explicit nsCertType designation t = 'client' | 'server'.\n" "--x509-track x : Save peer X509 attribute x in environment for use by\n" " plugins and management interface.\n" #if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000 diff --git a/tests/t_client.rc-sample b/tests/t_client.rc-sample index 4fdea4876..355e8bb8a 100644 --- a/tests/t_client.rc-sample +++ b/tests/t_client.rc-sample @@ -40,7 +40,7 @@ TEST_RUN_LIST="1 2" # OPENVPN_BASE_P2MP="--client --ca $CA_CERT \ --cert $CLIENT_CERT --key $CLIENT_KEY \ - --ns-cert-type server --nobind --comp-lzo --verb 3" + --remote-cert-tls server --nobind --comp-lzo --verb 3" # base config for p2p tests # -- 2.47.2