| Message ID | 20210322091621.7864-1-arne@rfc2549.org |
|---|---|
| State | Accepted |
| Delegated to: | Antonio Quartulli |
| Headers | show |
| Series | None | expand |
Hi, On 22/03/2021 10:16, Arne Schwabe wrote: > Despite trying to figure out with multiple people what the use case for > this option is, we could not come up with a good one. Checking that only > a specific CA is used can be also done by only using that CA in the --ca > directive. > > Although it feels a bit strange to deprecate the option after improving > it with peer-fingerprint patches, all the improvements are needed for > --peer-fingerprint and making them specify to --peer-fingerprint would > have added more (unecessary) changes. > > Patch v3: rebased on v3 version of other patches. > > Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@openvpn.net>
Your patch has been applied to the master branch.
Only limited client-side testing (compile + t_client on one platform),
staring-at-code suggests that no surprises are lurking.
commit 5b8a1231b90697774ae1dea98603bbbb9b5d9809
Author: Arne Schwabe
Date: Mon Mar 22 10:16:21 2021 +0100
Deprecate the --verify-hash option
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210322091621.7864-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21779.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
--
kind regards,
Gert Doering
diff --git a/Changes.rst b/Changes.rst index c0e0d5d9..01018b62 100644 --- a/Changes.rst +++ b/Changes.rst @@ -32,6 +32,9 @@ Deprecated features This was a very limited and not-well-tested way to run OpenVPN, on TCP and TAP mode only. +``verify-hash`` has been deprecated + This option has very limited usefulness and should be replaced by either + a better ``--ca`` configuration or with a ``--tls-verify`` script. Overview of changes in 2.5 ========================== diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst index cfe1ec98..1b10f1e8 100644 --- a/doc/man-sections/tls-options.rst +++ b/doc/man-sections/tls-options.rst @@ -564,7 +564,7 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa :code:`1.2`. --verify-hash args - Specify SHA1 or SHA256 fingerprint for level-1 cert. + **DEPRECATED** Specify SHA1 or SHA256 fingerprint for level-1 cert. Valid syntax: :: diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 4eee3a8a..1f6c05aa 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -8140,6 +8140,9 @@ add_option(struct options *options, int verify_hash_depth = 0; if (streq(p[0], "verify-hash")) { + msg(M_WARN, "DEPRECATED OPTION: The option --verify-hash is deprecated. " + "You should switch to the either use the level 1 certificate as " + "--ca option, use --tls-verify or use --peer-fingerprint"); /* verify level 1 cert, i.e. the CA that signed the leaf cert */ verify_hash_depth = 1; } @@ -8160,8 +8163,6 @@ add_option(struct options *options, if ((!p[2] && !is_inline) || (p[2] && streq(p[2], "SHA1"))) { options->verify_hash_algo = MD_SHA1; - msg(M_WARN, "DEPRECATED FEATURE: Usage of SHA1 fingerprints for " - "verify-hash is deprecated. You should switch to SHA256."); options->verify_hash_algo = SHA_DIGEST_LENGTH; digest_len = SHA_DIGEST_LENGTH; }
Despite trying to figure out with multiple people what the use case for this option is, we could not come up with a good one. Checking that only a specific CA is used can be also done by only using that CA in the --ca directive. Although it feels a bit strange to deprecate the option after improving it with peer-fingerprint patches, all the improvements are needed for --peer-fingerprint and making them specify to --peer-fingerprint would have added more (unecessary) changes. Patch v3: rebased on v3 version of other patches. Signed-off-by: Arne Schwabe <arne@rfc2549.org> --- Changes.rst | 3 +++ doc/man-sections/tls-options.rst | 2 +- src/openvpn/options.c | 5 +++-- 3 files changed, 7 insertions(+), 3 deletions(-)