From patchwork Wed Dec 10 08:56:20 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4675 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:29c3:b0:7b1:439f:bdf with SMTP id g3csp1912996max; Wed, 10 Dec 2025 00:56:41 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCVBDcHyhKTtIxvGlk/kJN6JybTGSxx7BJtw2Ov6sJHrdXleafpDr90wxxvCsMO8/SXR54xlFLjEgfw=@openvpn.net X-Google-Smtp-Source: AGHT+IGE685WmxYQ47va8tcvSWqu5XaRUZ4tdpSXE3Olgx+JzLB3RbbVZxSdqGNsHqQMTxI/9Mqw X-Received: by 2002:a05:6830:2e04:b0:785:1b36:69f2 with SMTP id 46e09a7af769-7caceb6707amr1533387a34.14.1765357001526; Wed, 10 Dec 2025 00:56:41 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1765357001; cv=none; d=google.com; s=arc-20240605; b=df+VtF/tQXh9DqyNtZdkLZlnDpcYemDirgyVoRNYSiedYwRKHOASqnx4ExiwoyD7TO bmeKs80hUe/Bz/C6NVgGjnzwaNMcp8cX04XStHqFybjRMpHlL8SA11QNMheZwUw7L4pX xwMb2UDKrENNHsmEW+CXJw/m98qPpOOSLoZcvEoMpa7lJ3+gUIIVzBMc1uXQeHUb0zEA lyom8qZmhKfMjzRgwPA2jOqmKcHGy6Exf+dXGCS+O/KLKnk0SakMPn5RcmeTExp24QH6 GrGMFgNbwAUmqLLK+u9CTJX/b4wh/Zi1p+dOB7y/VxyR3Yg1KIpq98Y8CJEB4QF6Ttfw xxhg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=SAUKB7xWIwkFIrs8HGbEHj20voRYoOhlAykILUNLC1s=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=ASmOEOcPE2jryjPwAApKk6lTBwbgNspkWfAKeKLLcV7ZlSagGekvUC0uUFYFKrioYb 72qUESQ3dWea3xWv7WMBeBTKh1WbqQ0WtTbcvjfM1vGsBRJkjxJ4wTj2r7ifkHZALvwy ezh/tGqcZ9Wp956lQZl/zYR5V7aT1kBmoWEI1Oeu29FvMSCJvAoAqXUnpSdUf+gWtfvi uSluJwYP519XDIfnGQD4GJOvHyB8gnsjdjJImlCyF0P/N9YHGNzW+ZGSBwhZVuSA73re 16ISX/5NQ8PYSg/0MnwlPdMCnhYiretdLGBaemxwEbjhNJnSsZCWLGeyMv7C2aG+gl50 UArA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=KsDcchft; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=TqqjaUes; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=lNaz5leP; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 46e09a7af769-7caca7b7e83si1719067a34.60.2025.12.10.00.56.41 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 10 Dec 2025 00:56:41 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=KsDcchft; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=TqqjaUes; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=lNaz5leP; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=SAUKB7xWIwkFIrs8HGbEHj20voRYoOhlAykILUNLC1s=; b=KsDcchftXA8o+ftXfENa5bdnU0 qWTDzTiP2gvjrm+ZOunwWosreJGa1P9pOvZ/3PC/BnCUIUh6QEy7rFRFeoDh0BF1XWHpW+KeXbLXa +SspIBhClAnOLFRmrtoHHVT2sV4YRzHFmXPIY8I8e7MNw0SMaGmes9+j7pEvOUT6hTzk=; Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1vTFzy-0003GN-VY; Wed, 10 Dec 2025 08:56:38 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1vTFzu-0003EK-6l for openvpn-devel@lists.sourceforge.net; Wed, 10 Dec 2025 08:56:34 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=4evK+aFY8BGt0PI4sjc3V3CCAVYY9By/fPtaMILdDxQ=; b=TqqjaUesIdoeyhE2plwhcHia1j 5y+HxvP4fSJwA0i/+2FaUkjgwdpT1neho61601vzlFwpAoCzo2LHelRfmSvLFcdycwwDfsCMNXhyS XqL79744q+MiXnaPoKLsecgJDS8iHrpr3zyu9cP+zjWO7EJWNVlpsmCJyvoVMEI0xRtw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=4evK+aFY8BGt0PI4sjc3V3CCAVYY9By/fPtaMILdDxQ=; b=lNaz5lePFQNinorKZUXckU69J0 pwuIEYrR7Q9N1+oIoQEahZJROH1jCyiYypJQdPAvrOAKqmOKoGh8m/pzB7ENUt+pLrLBN2E4/l0u0 RjFswCTdGFrICnIcpZqEKYgasKLIHPeMnyp342oN2MlUkbAcSN5zLvxdN+MSh/WcFM0w=; Received: from [193.149.48.134] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1vTFzt-0002bk-12 for openvpn-devel@lists.sourceforge.net; Wed, 10 Dec 2025 08:56:34 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 5BA8uQoZ032191 for ; Wed, 10 Dec 2025 09:56:26 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 5BA8uQ62032190 for openvpn-devel@lists.sourceforge.net; Wed, 10 Dec 2025 09:56:26 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Wed, 10 Dec 2025 09:56:20 +0100 Message-ID: <20251210085625.32174-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.51.2 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Frank Lichtenheld Our documentation claimed this option was removed. But it was not, for compatiblity reasons. So reflect the correct status. Change-Id: I1d1851eaebe8bf66c92dac3c8c10f68b1ec3ef33 Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Gerrit URL: https://gerrit.openvpn.net/c/open [...] Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1vTFzt-0002bk-12 Subject: [Openvpn-devel] [PATCH v1] Correct documentation for --ns-cert-type X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1851110983046002830?= X-GMAIL-MSGID: =?utf-8?q?1851110983046002830?= From: Frank Lichtenheld Our documentation claimed this option was removed. But it was not, for compatiblity reasons. So reflect the correct status. Change-Id: I1d1851eaebe8bf66c92dac3c8c10f68b1ec3ef33 Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1428 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1428 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst index 846dfdd..c4aa810 100644 --- a/doc/man-sections/tls-options.rst +++ b/doc/man-sections/tls-options.rst @@ -222,6 +222,17 @@ ``--cert file`` above). URI is supported only when built with OpenSSL 3.0 or later and any required providers are loaded. (See ``--cert`` for more details). +--ns-cert-type type + **DEPRECATED** The ``--remote-cert-tls`` option should be used instead. + The option is still available since it can't be silently ignored and needs + updates to certificates and configs on both sides of the connection. + However it should not be used for new clients or servers. It depends on the + deprecated ``nsCertType`` certificate field. + + Might not work depending on the TLS library used. + + Will be removed in a future release. + --pkcs12 file Specify a PKCS #12 file containing local private key, local certificate, and root CA certificate. This option can be used instead of ``--ca``, diff --git a/doc/man-sections/unsupported-options.rst b/doc/man-sections/unsupported-options.rst index 6e77333..b646991 100644 --- a/doc/man-sections/unsupported-options.rst +++ b/doc/man-sections/unsupported-options.rst @@ -44,12 +44,6 @@ VPN tunnel security. Previously we claimed to have removed this in OpenVPN 2.5, but this wasn't actually the case. ---ns-cert-type - Removed in OpenVPN 2.5. The ``nsCertType`` field is no longer supported - in recent SSL/TLS libraries. If your certificates does not include *key - usage* and *extended key usage* fields, they must be upgraded and the - ``--remote-cert-tls`` option should be used instead. - --prng Removed in OpenVPN 2.6. We now always use the PRNG of the SSL library.