On 28-06-17 21:15, David Sommerseth wrote: > The note related to the CRL processing was somehow put into > the deprecated section. This is quite confusing. > > Since this is a fairly important change, and there have been > a noticable amount of supports questions related to OpenVPN > not starting due to CRL errors, I put this into the > "New features" section labelled as an improvement. Otherwise > I fear this would drown in the list of "User-visible Changes" > later on. > > Signed-off-by: David Sommerseth <dav...@openvpn.net> > --- > Changes.rst | 13 +++++++------ > 1 file changed, 7 insertions(+), 6 deletions(-) > > diff --git a/Changes.rst b/Changes.rst > index 9db0a451..0b2b04dd 100644 > --- a/Changes.rst > +++ b/Changes.rst > @@ -44,6 +44,13 @@ ECDH key exchange > The TLS control channel now supports for elliptic curve diffie-hellmann > key exchange (ECDH). > > +Improved Certificate Revocation List (CRL) processing > + CRLs are now handled by the crypto library (OpenSSL or mbed TLS), instead > + of inside OpenVPN itself. The crypto library implementations are more > + strict than the OpenVPN implementation was. This might reject peer > + certificates that would previously be accepted. If this occurs, OpenVPN > + will log the crypto library's error description. > + > Dualstack round-robin DNS client connect > Instead of only using the first address of each ``--remote`` OpenVPN > will now try all addresses (IPv6 and IPv4) of a ``--remote`` entry. > @@ -160,12 +167,6 @@ Deprecated features > will then use ``--key-method 2`` by default. Note that this requires > changing > the option in both the client and server side configs. > > -- CRLs are now handled by the crypto library (OpenSSL or mbed TLS), instead > of > - inside OpenVPN itself. The crypto library implementations are more strict > - than the OpenVPN implementation was. This might reject peer certificates > - that would previously be accepted. If this occurs, OpenVPN will log the > - crypto library's error description. > - > - ``--tls-remote`` is removed in 2.4, as indicated in the 2.3 man-pages. > Similar > functionality is provided via ``--verify-x509-name``, which does the same > job in > a better way. >
ACK -Steffan ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
