| Message ID | 20210319142001.2201-4-arne@rfc2549.org |
|---|---|
| State | Superseded |
| Delegated to: | Antonio Quartulli |
| Headers | show |
| Series | [Openvpn-devel,v2,1/5] Extend verify-hash to allow multiple hashes | expand |
Hi, On 19/03/2021 15:20, Arne Schwabe wrote: > Despite trying to figure out with multiple people what the use case for > this option is, we could not come up with a good one. Checking that only > a specific CA is used can be also done by only using that CA in the --ca > directive. > > Although it feels a bit strange to deprecate the option after improving > it with peer-fingerprint patches, all the improvements are needed for > --peer-fingerprint and making them specify to --peer-fingerprint would > have added more (unecessary) changes. > > Signed-off-by: Arne Schwabe <arne@rfc2549.org> This patch looks good to me, but it does not apply on top of the previous 4. Maybe it was committed without considering the old 4/4? Regards,
Am 21.03.21 um 18:22 schrieb Antonio Quartulli: > Hi, > > On 19/03/2021 15:20, Arne Schwabe wrote: >> Despite trying to figure out with multiple people what the use case for >> this option is, we could not come up with a good one. Checking that only >> a specific CA is used can be also done by only using that CA in the --ca >> directive. >> >> Although it feels a bit strange to deprecate the option after improving >> it with peer-fingerprint patches, all the improvements are needed for >> --peer-fingerprint and making them specify to --peer-fingerprint would >> have added more (unecessary) changes. >> >> Signed-off-by: Arne Schwabe <arne@rfc2549.org> > > This patch looks good to me, but it does not apply on top of the > previous 4. Maybe it was committed without considering the old 4/4? > This patch conflicts since the grammar in the previous patch was fixed. If there is nothing else wrong with it I can resend a rebased v3. Arne
Hi, On 21/03/2021 18:38, Arne Schwabe wrote: > This patch conflicts since the grammar in the previous patch was fixed. > If there is nothing else wrong with it I can resend a rebased v3. That was it. Feel free to send v3. Cheers,
diff --git a/Changes.rst b/Changes.rst index f1674835..732387f2 100644 --- a/Changes.rst +++ b/Changes.rst @@ -26,6 +26,9 @@ Deprecated features This was a very limited and not-well-tested way to run OpenVPN, on TCP and TAP mode only. +``verify-hash`` has been deprecated + This option has very limited usefulness and should be replaced by either + a better ``--ca`` configuration or with a ``--tls-verify`` script. Overview of changes in 2.5 ========================== diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst index 8f5e37cb..00ea063a 100644 --- a/doc/man-sections/tls-options.rst +++ b/doc/man-sections/tls-options.rst @@ -564,7 +564,7 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa :code:`1.2`. --verify-hash args - Specify SHA1 or SHA256 fingerprint for level-1 cert. + **DEPRECATED** Specify SHA1 or SHA256 fingerprint for level-1 cert. Valid syntax: :: diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 27ed813d..1ddcf7bf 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -8142,6 +8142,9 @@ add_option(struct options *options, int verify_hash_depth = 0; if (streq(p[0], "verify-hash")) { + "DEPRECATED OPTION: The option --verify-hash is deprecated. " + "You should switch to the either use the level 1 certificate as " + "--ca option, use --tls-verify or use --peer-fingerprint"; /* verify level 1 cert, i.e. the CA that signed the leaf cert */ verify_hash_depth = 1; } @@ -8164,9 +8167,6 @@ add_option(struct options *options, if ((!p[2] && !is_inline) || (p[2] && streq(p[2], "SHA1"))) { options->verify_hash_algo = MD_SHA1; - msg(M_WARN, "DEPRECATED FEATURE: Usage of SHA1 fingerprints for " - "verify-hash is deprecated. You should switch to the " - "SHA256."); options->verify_hash_algo = SHA_DIGEST_LENGTH; digest_len = SHA_DIGEST_LENGTH; }
Despite trying to figure out with multiple people what the use case for this option is, we could not come up with a good one. Checking that only a specific CA is used can be also done by only using that CA in the --ca directive. Although it feels a bit strange to deprecate the option after improving it with peer-fingerprint patches, all the improvements are needed for --peer-fingerprint and making them specify to --peer-fingerprint would have added more (unecessary) changes. Signed-off-by: Arne Schwabe <arne@rfc2549.org> --- Changes.rst | 3 +++ doc/man-sections/tls-options.rst | 2 +- src/openvpn/options.c | 6 +++--- 3 files changed, 7 insertions(+), 4 deletions(-)