@@ -236,6 +236,9 @@
``--reneg-bytes`` and ``--reneg-packets`` do not work in DCO mode, and will
now print an appropriate warning.
+``--opt-verify`` feature removed
+ This option was already deprecated and it is now being converted to a
+ no-op. Using this option will only print a warning.
User-visible Changes
--------------------
@@ -413,19 +413,6 @@
Note that this directive affects OpenVPN's internal routing table, not
the kernel routing table.
---opt-verify
- **DEPRECATED** Clients that connect with options that are incompatible with
- those of the server will be disconnected.
-
- Options that will be compared for compatibility include ``dev-type``,
- ``link-mtu``, ``tun-mtu``, ``proto``, ``ifconfig``,
- ``comp-lzo``, ``fragment``, ``keydir``, ``cipher``,
- ``auth``, ``keysize``,
- ``tls-auth``, ``key-method``, ``tls-server``
- and ``tls-client``.
-
- This option requires that ``--disable-occ`` NOT be used.
-
--override-username username
Sets the username of a connection to the specified username. This username
will also be used by ``--auth-gen-token``. However, the overridden
@@ -44,4 +44,8 @@
Removed in OpenVPN 2.6. We now always use the PRNG of the SSL library.
--persist-key
- Ignored since OpenVPN 2.7. Keys are now always persisted across restarts.
\ No newline at end of file
+ Ignored since OpenVPN 2.7. Keys are now always persisted across restarts.
+
+--opt-verify
+ Removed in OpenVPN 2.7. This option does not make sense anymore as option
+ strings may not match due to the introduction of parameters negotiation.
@@ -472,8 +472,6 @@
" OTP based two-factor auth mechanisms are in use and\n"
" --reneg-* options are enabled. Optionally a lifetime in seconds\n"
" for generated tokens can be set.\n"
- "--opt-verify : (DEPRECATED) Clients that connect with options that are incompatible\n"
- " with those of the server will be disconnected.\n"
"--auth-user-pass-optional : Allow connections by clients that don't\n"
" specify a username/password.\n"
"--no-name-remapping : (DEPRECATED) Allow Common Name and X509 Subject to include\n"
@@ -2666,7 +2664,6 @@
"verify-client-cert");
MUST_BE_FALSE(options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME, "username-as-common-name");
MUST_BE_FALSE(options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL, "auth-user-pass-optional");
- MUST_BE_FALSE(options->ssl_flags & SSLF_OPT_VERIFY, "opt-verify");
if (options->server_flags & SF_TCP_NODELAY_HELPER)
{
msg(M_WARN, "WARNING: setting tcp-nodelay on the client side will not "
@@ -7450,9 +7447,7 @@
else if (streq(p[0], "opt-verify") && !p[1])
{
VERIFY_PERMISSION(OPT_P_GENERAL);
- msg(M_INFO, "DEPRECATION: opt-verify is deprecated and will be removed "
- "in OpenVPN 2.7");
- options->ssl_flags |= SSLF_OPT_VERIFY;
+ msg(M_INFO, "DEPRECATED OPTION: --opt-verify was removed in OpenVPN 2.7.");
}
else if (streq(p[0], "auth-user-pass-verify") && p[1])
{
@@ -2334,13 +2334,6 @@
#endif
options_warning(options, remote_options);
-
- if (session->opt->ssl_flags & SSLF_OPT_VERIFY)
- {
- msg(D_TLS_ERRORS,
- "Option inconsistency warnings triggering disconnect due to --opt-verify");
- ks->authenticated = KS_AUTH_FALSE;
- }
}
buf_clear(buf);
@@ -425,7 +425,7 @@
#define SSLF_CLIENT_CERT_OPTIONAL (1u << 1)
#define SSLF_USERNAME_AS_COMMON_NAME (1u << 2)
#define SSLF_AUTH_USER_PASS_OPTIONAL (1u << 3)
-#define SSLF_OPT_VERIFY (1u << 4)
+/* (1u << 4) free for usage */
#define SSLF_CRL_VERIFY_DIR (1u << 5)
#define SSLF_TLS_VERSION_MIN_SHIFT 6
#define SSLF_TLS_VERSION_MIN_MASK 0xFu /* (uses bit positions 6 to 9) */