Hi, On Mon, Mar 12, 2018 at 10:37:53AM -0400, Selva Nair wrote: > Agree, this could qualify for 2.4. Anyway, the context is the same and > it applies/cherry-picks to 2.4 without issues.
OK, thanks. > Elsewhere in the code we only warn about expired certs (like those > read from a file) and continue with the connection to eventually end > up with the unhelpful "TLS key negotiation failed to complete. Check > your network..." error [*]. In that sense this is a regression. IMO, the > client > should error out on invalid certs from other sources as well. Well. In other cases, we do not have anything else to try, and when Steffan added the "oh, this might have expired!" warning, it was much better than the "mysterious TLS handshake failure" we had before. The reason it's only a warning was a conscious decision: our clock might be wrong, or sufficiently different from the server's clock that it actually *could* be valid on his side. So we print a warning so it's more obvious why it fails, but try anyway. But I do not have strong feelings either way, so if "you" (for an unspecified value of "you") want to change this to error out, fine with me :-) - I just wanted to provide background. gert -- now what should I write here... Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
