From patchwork Mon Jul 20 01:30:10 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Sommerseth X-Patchwork-Id: 1313 X-Patchwork-Delegate: gert@greenie.muc.de Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id 8Nk2HaaAFV8HKgAAIUCqbw for ; Mon, 20 Jul 2020 07:31:50 -0400 Received: from proxy17.mail.ord1d.rsapps.net ([172.30.191.6]) by director9.mail.ord1d.rsapps.net with LMTP id ABUKHaaAFV/FJQAAalYnBA ; Mon, 20 Jul 2020 07:31:50 -0400 Received: from smtp19.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy17.mail.ord1d.rsapps.net with LMTP id 4DakHKaAFV99EgAAWC7mWg ; Mon, 20 Jul 2020 07:31:50 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp19.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=fail (p=none; dis=none) header.from=openvpn.net X-Suspicious-Flag: YES X-Classification-ID: 9a02c7c2-ca7c-11ea-a536-525400d67fa8-1-1 Received: from [216.105.38.7] ([216.105.38.7:54480] helo=lists.sourceforge.net) by smtp19.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id C3/3D-01771-6A0851F5; Mon, 20 Jul 2020 07:31:50 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jxU0n-0007Ss-Sd; Mon, 20 Jul 2020 11:31:13 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jxU0m-0007Sc-KV for openvpn-devel@lists.sourceforge.net; Mon, 20 Jul 2020 11:31:12 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=YwsS5o8rApgB+NCDBUSyoyjzo1+9dSHdk6YMHKIkCHw=; b=bT4E9b5RpSC+j9Ur93x03L10un orYLCi+dwFgjEVlNBAuablKT3UN6SaxV3kXNCJOZe2V+rt6vTxf/AmUzRlzgSDfx1dfDUNqKHEhF4 K6qNCgS/ypeWp7nvLNom/KbiX7a/fSDE8FhiZIDH7fDCMRPNWf0i0SZ2CEKmtFTZexeE=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=YwsS5o8rApgB+NCDBUSyoyjzo1+9dSHdk6YMHKIkCHw=; b=V3FdeYIsL/Rz0sDp1VlPcdmM/p IESHcXrIbnfnewXTwBMEiKURhcEK3ZQLGMMXVZU02ImnlFUJ2CHzDyjscK4SLdWe+rLy4zzMIN0up 4u/3yKAM0+8sJauZ7yfIX6oyRW2i9Pc9cuCz4VTEcxUBUd51qLG7DMbn0hgYv3GS3N5I=; Received: from mx0.basenordic.cloud ([185.212.44.139]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jxU0k-00Ag5P-TR for openvpn-devel@lists.sourceforge.net; Mon, 20 Jul 2020 11:31:12 +0000 Received: from localhost (unknown [IPv6:::1]) by mx0.basenordic.cloud (Postfix) with ESMTP id 302B982EC29 for ; Mon, 20 Jul 2020 11:30:57 +0000 (UTC) Received: from mx0.basenordic.cloud ([IPv6:::1]) by localhost (winterfell.topphemmelig.net [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id uAL50jdijE46 for ; Mon, 20 Jul 2020 13:30:52 +0200 (CEST) Received: from zimbra.sommerseth.email (zimbra.sommerseth.email [172.16.33.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx0.basenordic.cloud (Postfix) with ESMTPS id 646178195C4 for ; Mon, 20 Jul 2020 13:30:52 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by zimbra.sommerseth.email (Postfix) with ESMTP id 155A84015589 for ; Mon, 20 Jul 2020 13:30:31 +0200 (CEST) Received: from zimbra.sommerseth.email ([127.0.0.1]) by localhost (zimbra.sommerseth.email [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id F750npNOmVCh for ; Mon, 20 Jul 2020 13:30:31 +0200 (CEST) Received: from optimus.homebase.sommerseths.net (unknown [10.35.7.3]) by zimbra.sommerseth.email (Postfix) with ESMTPS id 8EBF84015588 for ; Mon, 20 Jul 2020 13:30:14 +0200 (CEST) From: David Sommerseth To: openvpn-devel@lists.sourceforge.net Date: Mon, 20 Jul 2020 13:30:10 +0200 Message-Id: <20200720113010.10450-1-davids@openvpn.net> X-Mailer: git-send-email 2.26.0 In-Reply-To: <20200720111840.7527-1-davids@openvpn.net> References: <20200720111840.7527-1-davids@openvpn.net> MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1jxU0k-00Ag5P-TR Subject: [Openvpn-devel] [PATCH v2] Remove --client-cert-not-required X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This removes support for the --client-cert-not-required option. To avoid starting a server with this option just ignored, which would make it impossible for existing clients to connect it will exit with instructions to replace this option with --verify-client-cert none. Signed-off-by: David Sommerseth Acked-by: Gert Doering --- v2 - Include update to Changes.rst --- Changes.rst | 4 ++++ src/openvpn/options.c | 9 +++------ src/plugins/auth-pam/README.auth-pam | 2 +- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/Changes.rst b/Changes.rst index 34abcd97..a1d88a71 100644 --- a/Changes.rst +++ b/Changes.rst @@ -38,6 +38,10 @@ https://community.openvpn.net/openvpn/wiki/DeprecatedOptions This option was made into a NOOP option with OpenVPN 2.4. This has now been completely removed. +- ``--client-cert-not-required`` has been removed + This option will now cause server configurations to not start. Use + ``--verify-client-cert none`` instead. + User-visible Changes -------------------- - If multiple connect handlers are used (client-connect, ccd, connect diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 1d9e5e5f..5a81b0c2 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -446,8 +446,6 @@ static const char usage_message[] = " Only valid in a client-specific config file.\n" "--disable : Client is disabled.\n" " Only valid in a client-specific config file.\n" - "--client-cert-not-required : (DEPRECATED) Don't require client certificate, client\n" - " will authenticate using username/password.\n" "--verify-client-cert [none|optional|require] : perform no, optional or\n" " mandatory client certificate verification.\n" " Default is to require the client to supply a certificate.\n" @@ -2476,7 +2474,7 @@ options_postprocess_verify_ce(const struct options *options, const struct connec } if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL)) { - msg(M_USAGE, "--client-cert-not-required and --verify-client-cert require --mode server"); + msg(M_USAGE, "--verify-client-cert require --mode server"); } if (options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) { @@ -2539,7 +2537,7 @@ options_postprocess_verify_ce(const struct options *options, const struct connec if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL)) { msg(M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION " - "--verify-client-cert none|optional (or --client-cert-not-required) " + "--verify-client-cert none|optional " "may accept clients which do not present a certificate"); } @@ -6935,8 +6933,7 @@ add_option(struct options *options, else if (streq(p[0], "client-cert-not-required") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); - options->ssl_flags |= SSLF_CLIENT_CERT_NOT_REQUIRED; - msg(M_WARN, "DEPRECATED OPTION: --client-cert-not-required, use --verify-client-cert instead"); + msg(M_FATAL, "REMOVED OPTION: --client-cert-not-required, use '--verify-client-cert none' instead"); } else if (streq(p[0], "verify-client-cert") && !p[2]) { diff --git a/src/plugins/auth-pam/README.auth-pam b/src/plugins/auth-pam/README.auth-pam index 64b3ace7..e3ca027e 100644 --- a/src/plugins/auth-pam/README.auth-pam +++ b/src/plugins/auth-pam/README.auth-pam @@ -60,7 +60,7 @@ is to be answered with the constant value "mydomain.com": The following OpenVPN directives can also influence the operation of this plugin: - client-cert-not-required + verify-client-cert none username-as-common-name static-challenge