From patchwork Thu Nov 13 21:21:38 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4594 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:6d04:b0:7b1:439f:bdf with SMTP id e4csp1124973may; Thu, 13 Nov 2025 13:21:57 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCXKJ5kbEmt5KOExbTemBaQ2n2wbVZ4POLb9GHqhgJBfQji6fjPoSfIEjCwcgMCFJQk9vvwetepS1GE=@openvpn.net X-Google-Smtp-Source: AGHT+IF7L8iqgdIsokpijboMfeNCex7dT3JQlyBs6J0YVUuS1zrx/IuUmEo7GAToJc/V1yyeOVQi X-Received: by 2002:a05:6808:470b:b0:450:7a38:cabd with SMTP id 5614622812f47-4509748a682mr435901b6e.25.1763068916953; Thu, 13 Nov 2025 13:21:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1763068916; cv=none; d=google.com; s=arc-20240605; b=FQDo3LRzjfU+PhQss5YG4cvhhjoxpadeAVAG4RuAG7AblyxGU8Z5HG/dYShzjaolTz e4HYUHhJOiZtyPOouyf5JiTXnunMOdh8NKUxMgrbtFa9XzAAqMqOXB5kn81y+nUTkkSK xdY8im1tfs9NjWljr57API/ZL/n3djUGSJqiHxd06ux0BUdB9pqU+l2S5r9UymG6KS86 La9SwzehTa8woscTqAGuiMD6dXP7wj4AICsQqMJaHKdeSWNmp4bvrjLwr+pcK71JHX77 eheF+hEJFR+y1ychcNpVGphXbUK9RfG+BRuH7UfMu/boiMEUE08wx70Qngl8jO1aUL0l CtbQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=z5ACpY3N1bWL7rYl2NP/IZ9bYZ4EAGNgaq7xxStUVUg=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=VZZ21mSRikDv8QXYga2Od6DoXwTmUdlC4HOk+DA1pPmynUHSM3lqinbDnhieFmZHus bjO+LP/k9V1Q8v57UAIqRpBs9xyLw4Z7rJ1Dis1q4a1rReIpcRIh8fjsgq27e4ukoZVo WzqHZSdKaToTASsLDFrN94lZT+Pp9zoXhHGtBo3gSPNDaCMMpQJ7pOrGlCxH6MH0nbHo M/mplnUIiw+rj8xX8a6X/jdFKbhZci+UAyTzhsi9yX/xnlp/wib3BRzTBdSu75K87aHw pbWNVqivah9uMsGETLaDoeYT6ZJEtN1fvtFfXOhVpgeOn7QGy4gOwxrqRYgLSykcVpQN HdAQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=nPWhwEcY; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=bPSO4CrW; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=GpBIitDb; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 5614622812f47-4508a76220asi976282b6e.214.2025.11.13.13.21.56 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 13 Nov 2025 13:21:56 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=nPWhwEcY; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=bPSO4CrW; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=GpBIitDb; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=z5ACpY3N1bWL7rYl2NP/IZ9bYZ4EAGNgaq7xxStUVUg=; b=nPWhwEcYZYAJV/oOPPCujwqxsn UxVQnpZKyBexPFl2c6WRJIO9EMrSaX/aS1mbOqIkoIG+gxaDgB1anl/2GZRtJAlHobYE8PUP/SS+j +XBBKExTL8I80Cd9KboYiczDYoEjvp48pGen7iKEkBlIYqrnSFfhPYd1o40NWVZi2bdM=; Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1vJelN-0007U1-3v; Thu, 13 Nov 2025 21:21:53 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1vJelL-0007To-TY for openvpn-devel@lists.sourceforge.net; Thu, 13 Nov 2025 21:21:52 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=WCx7+O1DnUnDmqU/kEvKNalW8lJYw6gPATUrnA9To6g=; b=bPSO4CrWrNokkQO+BuT3Cd6am7 zybAm9uYokLiz5l+E93ZFMu9/ZXf6t+eIlUIc56LkZavRynhupJJ4mXKHOYcNEsAXSstCMNg6XLaq 9s0If4NTsygvdO/QCPT4FX4u5F4UiaW0fMXbQk0xhCa7imvqKC3o9RUYP9INjAveUm8c=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=WCx7+O1DnUnDmqU/kEvKNalW8lJYw6gPATUrnA9To6g=; b=GpBIitDbNaD/HXDpMa0PQB3R6x RzFCXNqBvo3z/z0mHjbXBach378kN94UbvrwHH7E8YYwrr89+FmyvSSVQ4cPyGteCB0JT10bc7+kI Q9ucRbZwGrBnfvifSRBbYyhkYNOkAoHKOghEhleCnMiHTGrVGotX2GOlF9qLMEZNDLhM=; Received: from [193.149.48.134] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1vJelL-0007P6-Hs for openvpn-devel@lists.sourceforge.net; Thu, 13 Nov 2025 21:21:52 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 5ADLLij8030072 for ; Thu, 13 Nov 2025 22:21:44 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 5ADLLi7H030071 for openvpn-devel@lists.sourceforge.net; Thu, 13 Nov 2025 22:21:44 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Thu, 13 Nov 2025 22:21:38 +0100 Message-ID: <20251113212143.30034-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.49.1 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Antonio Quartulli As previously agreed, the --opt-verify directive is deprecated and can be fully removed as of OpenVPN 2.7.0. GitHub: closes OpenVPN/openvpn#901 Change-Id: Ia60a393a296f23ac1090d0f2016b5682649ed490 Signed-off-by: Antonio Quartulli Acked-by: Gert Doering Gerrit URL [...] Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1vJelL-0007P6-Hs Subject: [Openvpn-devel] [PATCH v2] options: remove --opt-verify functionality X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1848711752866593842?= X-GMAIL-MSGID: =?utf-8?q?1848711752866593842?= From: Antonio Quartulli As previously agreed, the --opt-verify directive is deprecated and can be fully removed as of OpenVPN 2.7.0. GitHub: closes OpenVPN/openvpn#901 Change-Id: Ia60a393a296f23ac1090d0f2016b5682649ed490 Signed-off-by: Antonio Quartulli Acked-by: Gert Doering Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1375 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1375 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/Changes.rst b/Changes.rst index 8bdb2b0..457d3a7 100644 --- a/Changes.rst +++ b/Changes.rst @@ -236,6 +236,9 @@ ``--reneg-bytes`` and ``--reneg-packets`` do not work in DCO mode, and will now print an appropriate warning. +``--opt-verify`` feature removed + This option was already deprecated and it is now being converted to a + no-op. Using this option will only print a warning. User-visible Changes -------------------- diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index ade4d41..5243a06 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -413,19 +413,6 @@ Note that this directive affects OpenVPN's internal routing table, not the kernel routing table. ---opt-verify - **DEPRECATED** Clients that connect with options that are incompatible with - those of the server will be disconnected. - - Options that will be compared for compatibility include ``dev-type``, - ``link-mtu``, ``tun-mtu``, ``proto``, ``ifconfig``, - ``comp-lzo``, ``fragment``, ``keydir``, ``cipher``, - ``auth``, ``keysize``, - ``tls-auth``, ``key-method``, ``tls-server`` - and ``tls-client``. - - This option requires that ``--disable-occ`` NOT be used. - --override-username username Sets the username of a connection to the specified username. This username will also be used by ``--auth-gen-token``. However, the overridden diff --git a/doc/man-sections/unsupported-options.rst b/doc/man-sections/unsupported-options.rst index 11467ca..e8e76eb 100644 --- a/doc/man-sections/unsupported-options.rst +++ b/doc/man-sections/unsupported-options.rst @@ -44,4 +44,8 @@ Removed in OpenVPN 2.6. We now always use the PRNG of the SSL library. --persist-key - Ignored since OpenVPN 2.7. Keys are now always persisted across restarts. \ No newline at end of file + Ignored since OpenVPN 2.7. Keys are now always persisted across restarts. + +--opt-verify + Removed in OpenVPN 2.7. This option does not make sense anymore as option + strings may not match due to the introduction of parameters negotiation. diff --git a/src/openvpn/options.c b/src/openvpn/options.c index ecf9374..683543a 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -472,8 +472,6 @@ " OTP based two-factor auth mechanisms are in use and\n" " --reneg-* options are enabled. Optionally a lifetime in seconds\n" " for generated tokens can be set.\n" - "--opt-verify : (DEPRECATED) Clients that connect with options that are incompatible\n" - " with those of the server will be disconnected.\n" "--auth-user-pass-optional : Allow connections by clients that don't\n" " specify a username/password.\n" "--no-name-remapping : (DEPRECATED) Allow Common Name and X509 Subject to include\n" @@ -2666,7 +2664,6 @@ "verify-client-cert"); MUST_BE_FALSE(options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME, "username-as-common-name"); MUST_BE_FALSE(options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL, "auth-user-pass-optional"); - MUST_BE_FALSE(options->ssl_flags & SSLF_OPT_VERIFY, "opt-verify"); if (options->server_flags & SF_TCP_NODELAY_HELPER) { msg(M_WARN, "WARNING: setting tcp-nodelay on the client side will not " @@ -7450,9 +7447,7 @@ else if (streq(p[0], "opt-verify") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); - msg(M_INFO, "DEPRECATION: opt-verify is deprecated and will be removed " - "in OpenVPN 2.7"); - options->ssl_flags |= SSLF_OPT_VERIFY; + msg(M_INFO, "DEPRECATED OPTION: --opt-verify was removed in OpenVPN 2.7."); } else if (streq(p[0], "auth-user-pass-verify") && p[1]) { diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index d7f55dd..896fd65 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -2334,13 +2334,6 @@ #endif options_warning(options, remote_options); - - if (session->opt->ssl_flags & SSLF_OPT_VERIFY) - { - msg(D_TLS_ERRORS, - "Option inconsistency warnings triggering disconnect due to --opt-verify"); - ks->authenticated = KS_AUTH_FALSE; - } } buf_clear(buf); diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index de89d30..23da8cf 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -425,7 +425,7 @@ #define SSLF_CLIENT_CERT_OPTIONAL (1u << 1) #define SSLF_USERNAME_AS_COMMON_NAME (1u << 2) #define SSLF_AUTH_USER_PASS_OPTIONAL (1u << 3) -#define SSLF_OPT_VERIFY (1u << 4) +/* (1u << 4) free for usage */ #define SSLF_CRL_VERIFY_DIR (1u << 5) #define SSLF_TLS_VERSION_MIN_SHIFT 6 #define SSLF_TLS_VERSION_MIN_MASK 0xFu /* (uses bit positions 6 to 9) */