[Openvpn-devel,S] Change in openvpn[master]: Improve peer fingerpint documentation

Message ID 57a9ad9e2c345ece460491326b4df9285578df19-HTML@gerrit.openvpn.net
State Superseded
Headers show
Series [Openvpn-devel,S] Change in openvpn[master]: Improve peer fingerpint documentation | expand

Commit Message

cron2 (Code Review) Jan. 14, 2025, 9:43 a.m. UTC
Attention is currently required from: flichtenheld.

Hello flichtenheld,

I'd like you to do a code review.
Please visit

    http://gerrit.openvpn.net/c/openvpn/+/859?usp=email

to review the following change.


Change subject: Improve peer fingerpint documentation
......................................................................

Improve peer fingerpint documentation

- fix typo in peer-fingerprint
- use ec_paramgen_curve instead of requiring a subshell

Note: we still use -nodes instead of -noenc as it is more compatible.

closes: issue #666

Change-Id: I9a12a0c127908af9f09d88fb3a493df3763d0cc5
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
M doc/man-sections/example-fingerprint.rst
1 file changed, 10 insertions(+), 4 deletions(-)



  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/59/859/1

Patch

diff --git a/doc/man-sections/example-fingerprint.rst b/doc/man-sections/example-fingerprint.rst
index 7cdda19..31ca0c1 100644
--- a/doc/man-sections/example-fingerprint.rst
+++ b/doc/man-sections/example-fingerprint.rst
@@ -18,7 +18,7 @@ 
 2. Generate a self-signed certificate for the server:
    ::
 
-    openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -keyout server.key -out server.crt -nodes -sha256 -days 3650 -subj '/CN=server'
+    openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 -keyout server.key -out server.crt -nodes -sha256 -days 3650 -subj '/CN=server'
 
 3. Generate SHA256 fingerprint of the server certificate
 
@@ -28,7 +28,7 @@ 
 
     openssl x509 -fingerprint -sha256 -in server.crt -noout
 
-   This output something similar to:
+   This outputs something similar to:
    ::
 
      SHA256 Fingerprint=00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff
@@ -64,6 +64,12 @@ 
     # Ping every 60s, restart if no data received for 5 minutes
     keepalive 60 300
 
+    # Uncomment the line below if you want to have persistent IP addresses
+    # ifconfig-pool-persist  /etc/openvpn/server/ipp.txt
+
+    # Uncomment the line below to push a DNS server to clients
+    # push "dhcp-option DNS 1.1.1.1"
+
 5. Add at least one client as described in the client section.
 
 6. Start the server.
@@ -85,7 +91,7 @@ 
    different name for each client.
    ::
 
-      openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -nodes -sha256 -days 3650 -subj '/CN=alice'
+      openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 -keyout - -nodes -sha256 -days 3650 -subj '/CN=alice'
 
    This generate a certificate and a key for the client. The output of the command will look
    something like this:
@@ -162,7 +168,7 @@ 
       <peer-fingerprint>
       ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00:ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00
       99:88:77:66:55:44:33:22:11:00:ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00:88:77:66:55:44:33
-      </peer-fingperint>
+      </peer-fingerprint>
 
 6. (optional) if the client is an older client that does not support the
    :code:`peer-fingerprint` (e.g. OpenVPN 2.5 and older, OpenVPN Connect 3.3