From patchwork Wed Nov 12 15:38:29 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4591 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:6d04:b0:7b1:439f:bdf with SMTP id e4csp203452may; Wed, 12 Nov 2025 07:38:48 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCXHitTjSNVjU8QOfcfeJMk1ZBhzZIwB2CkZ0/OpTPJRuQG5G6geIJkJXOFdZbdMQhXiZqpxF4t6OgU=@openvpn.net X-Google-Smtp-Source: AGHT+IG38aTF4nAcIcs65FB9lnhshssxtKhPKlzb6IeKv6yRovKcizN2ziaci+bx1DVfUJ8m2rAA X-Received: by 2002:a05:6808:200d:b0:44f:eaaf:5b62 with SMTP id 5614622812f47-450744ffc35mr1470122b6e.23.1762961928655; Wed, 12 Nov 2025 07:38:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1762961928; cv=none; d=google.com; s=arc-20240605; b=ALDXGTfErAJLBR2hRvgKKuLo76+BlHvqPS6y0a9bFOMpHWkcbsm/3WioIShXc7tqpU mYmkS9oexl/xgJqK2oDAyYEWmfhH7MHZkqR4vRNWYIXfv8CboO4AhvsQ/IUbDbcSReiZ Em1ueRw7nUf7QTZwVrJD87hZDAJSc8Ia/dEGKGHDzxc7m6TCHwi2LAUf9Q5A4U54jBif ToMoWFc9BJf2UWvCnzv01kbhJ7C5EJ8GujU+F/tNUXKDH1GZMw3Z1NbYKRxvZH/wml1p DuCNvG9WlVSDgj9WIfSXcZ6KKtcXSjwXWMztRx1DfoAwyX5zNRmv++unf697mTylNR6T V1Aw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=GKMBx1zETHSlMSK2jH9DmqWcwkh/rzA/pm6d+s7x3FI=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=Gi8aZa5CdyN4E9MYV/rTZrBMD0eEZwCVnFlQgy8O3w+xoGiRBiIULduun2NihsLNzv btyR3vMXfj8Ek9lMaHtYjz8CaDSklQr/DeNXln5kw+BG4nmPr8O3K5GBpkm9mvNULPDD XvGmTePfk9+4aiJEfWOH5PyvhoVa/QYi3XEBBIAeYBG2x6AGHSlZCx0tZXC6pzFRjh5R uau5vsvZAWFSdwodfFfnJDUPdeLvqQ0imwGknvu+LwoYFGVBtTQ1EAkJOzews8w7ASRq 0nLdXJ+Z8vaRVyxbgz/jg7Yo3XCRqHzmrN8JXo5S25qJiAKYs4Bm8TdWahstX8GYuJMZ xmvQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=jSP0YIYl; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=jh7Wqrsp; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=dtczNtvb; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 5614622812f47-450029aae2fsi6259220b6e.263.2025.11.12.07.38.48 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 12 Nov 2025 07:38:48 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=jSP0YIYl; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=jh7Wqrsp; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=dtczNtvb; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=GKMBx1zETHSlMSK2jH9DmqWcwkh/rzA/pm6d+s7x3FI=; b=jSP0YIYlu5Y2RCW+ugrxMOvOsa pDMoQf2dgb/rYve8w6/S4LCiBCQyZn5GkX2r9z4oMg6dzILVHpQpiqpa16Uw+4YYyHWMf73PEVZ53 LTEAV41dh3D2VAGwpvszosqQ2tB4U6bLs7Zz7m8Mllo0UrP6YKgISf6wti8U3GwJplks=; Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1vJCvl-0007V9-6z; Wed, 12 Nov 2025 15:38:46 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1vJCvj-0007V3-PX for openvpn-devel@lists.sourceforge.net; Wed, 12 Nov 2025 15:38:44 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=TaN2Ub5U/uQxXuyjX9I9m/XC2TQXh6laxrRXB3imWig=; b=jh7Wqrsp2JL8SbMww3dn3vNdK5 ZmQlLXOP2ww4kDS6WVikIoeGlYR4h91XJ/WHXKdibSc1NfaHC9UfWsbJcXyQObT7BEj8dkkz4lc30 C7/sLdaKOpB2hO4/EQmNaN5iUbl9q/3t5OcSTUq0LIvku7T0uqpjbahZhLvBbPNEkK1g=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=TaN2Ub5U/uQxXuyjX9I9m/XC2TQXh6laxrRXB3imWig=; b=dtczNtvbA96oZEfsPa2OFLjha1 tjJIVPI7fUwWc/xiMgpQxlsrQ7S9g5CH97igyYVP3bAGW/v17MEMjFLX9qx9k0x2j4G/L6QiGypdw Popa6zsvZLKNmhAlbRHjtPTbLvtHZIzKxX3HJeMa8sP3zILEt8NPuoY6iUhP8oDKcDjs=; Received: from [193.149.48.134] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1vJCvj-00068z-KX for openvpn-devel@lists.sourceforge.net; Wed, 12 Nov 2025 15:38:44 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 5ACFcaMj008456 for ; Wed, 12 Nov 2025 16:38:36 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 5ACFca0I008455 for openvpn-devel@lists.sourceforge.net; Wed, 12 Nov 2025 16:38:36 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Wed, 12 Nov 2025 16:38:29 +0100 Message-ID: <20251112153836.8437-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.49.1 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Antonio Quartulli As previously agreed, the --opt-verify directive is deprecated and can be fully removed as of 2.7.0. GitHub: closes OpenVPN/openvpn#901 Change-Id: Ia60a393a296f23ac1090d0f2016b5682649ed490 Signed-off-by: Antonio Quartulli Acked-by: Gert Doering Gerrit URL [...] Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1vJCvj-00068z-KX Subject: [Openvpn-devel] [PATCH v1] drop --opt-verify functionality X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1848599567204521992?= X-GMAIL-MSGID: =?utf-8?q?1848599567204521992?= From: Antonio Quartulli As previously agreed, the --opt-verify directive is deprecated and can be fully removed as of 2.7.0. GitHub: closes OpenVPN/openvpn#901 Change-Id: Ia60a393a296f23ac1090d0f2016b5682649ed490 Signed-off-by: Antonio Quartulli Acked-by: Gert Doering Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1375 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1375 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpn/options.c b/src/openvpn/options.c index ecf9374..9308bc3 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -472,8 +472,6 @@ " OTP based two-factor auth mechanisms are in use and\n" " --reneg-* options are enabled. Optionally a lifetime in seconds\n" " for generated tokens can be set.\n" - "--opt-verify : (DEPRECATED) Clients that connect with options that are incompatible\n" - " with those of the server will be disconnected.\n" "--auth-user-pass-optional : Allow connections by clients that don't\n" " specify a username/password.\n" "--no-name-remapping : (DEPRECATED) Allow Common Name and X509 Subject to include\n" @@ -2666,7 +2664,6 @@ "verify-client-cert"); MUST_BE_FALSE(options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME, "username-as-common-name"); MUST_BE_FALSE(options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL, "auth-user-pass-optional"); - MUST_BE_FALSE(options->ssl_flags & SSLF_OPT_VERIFY, "opt-verify"); if (options->server_flags & SF_TCP_NODELAY_HELPER) { msg(M_WARN, "WARNING: setting tcp-nodelay on the client side will not " @@ -7447,13 +7444,6 @@ VERIFY_PERMISSION(OPT_P_GENERAL); options->ssl_flags |= SSLF_AUTH_USER_PASS_OPTIONAL; } - else if (streq(p[0], "opt-verify") && !p[1]) - { - VERIFY_PERMISSION(OPT_P_GENERAL); - msg(M_INFO, "DEPRECATION: opt-verify is deprecated and will be removed " - "in OpenVPN 2.7"); - options->ssl_flags |= SSLF_OPT_VERIFY; - } else if (streq(p[0], "auth-user-pass-verify") && p[1]) { VERIFY_PERMISSION(OPT_P_SCRIPT); diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 398c9ae..2f08c43 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -2343,13 +2343,6 @@ #endif options_warning(options, remote_options); - - if (session->opt->ssl_flags & SSLF_OPT_VERIFY) - { - msg(D_TLS_ERRORS, - "Option inconsistency warnings triggering disconnect due to --opt-verify"); - ks->authenticated = KS_AUTH_FALSE; - } } buf_clear(buf); diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index de89d30..4c8efd5 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -425,7 +425,7 @@ #define SSLF_CLIENT_CERT_OPTIONAL (1u << 1) #define SSLF_USERNAME_AS_COMMON_NAME (1u << 2) #define SSLF_AUTH_USER_PASS_OPTIONAL (1u << 3) -#define SSLF_OPT_VERIFY (1u << 4) +/* (1u << 4) OPT_VERIFY removed in 2.7, bit can be reused */ #define SSLF_CRL_VERIFY_DIR (1u << 5) #define SSLF_TLS_VERSION_MIN_SHIFT 6 #define SSLF_TLS_VERSION_MIN_MASK 0xFu /* (uses bit positions 6 to 9) */