Attention is currently required from: plaisthos.
Hello plaisthos,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/1428?usp=email
to review the following change.
Change subject: Correct documentation for --ns-cert-type
......................................................................
Correct documentation for --ns-cert-type
Our documentation claimed this option was removed.
But it was not, for compatiblity reasons. So reflect
the correct status.
Change-Id: I1d1851eaebe8bf66c92dac3c8c10f68b1ec3ef33
Signed-off-by: Frank Lichtenheld <[email protected]>
---
M doc/man-sections/tls-options.rst
M doc/man-sections/unsupported-options.rst
2 files changed, 11 insertions(+), 6 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/28/1428/1
diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst
index 846dfdd..c4aa810 100644
--- a/doc/man-sections/tls-options.rst
+++ b/doc/man-sections/tls-options.rst
@@ -222,6 +222,17 @@
``--cert file`` above). URI is supported only when built with OpenSSL 3.0
or later and any required providers are loaded. (See ``--cert`` for more
details).
+--ns-cert-type type
+ **DEPRECATED** The ``--remote-cert-tls`` option should be used instead.
+ The option is still available since it can't be silently ignored and needs
+ updates to certificates and configs on both sides of the connection.
+ However it should not be used for new clients or servers. It depends on the
+ deprecated ``nsCertType`` certificate field.
+
+ Might not work depending on the TLS library used.
+
+ Will be removed in a future release.
+
--pkcs12 file
Specify a PKCS #12 file containing local private key, local certificate,
and root CA certificate. This option can be used instead of ``--ca``,
diff --git a/doc/man-sections/unsupported-options.rst
b/doc/man-sections/unsupported-options.rst
index 6e77333..b646991 100644
--- a/doc/man-sections/unsupported-options.rst
+++ b/doc/man-sections/unsupported-options.rst
@@ -44,12 +44,6 @@
VPN tunnel security. Previously we claimed to have removed this in
OpenVPN 2.5, but this wasn't actually the case.
---ns-cert-type
- Removed in OpenVPN 2.5. The ``nsCertType`` field is no longer supported
- in recent SSL/TLS libraries. If your certificates does not include *key
- usage* and *extended key usage* fields, they must be upgraded and the
- ``--remote-cert-tls`` option should be used instead.
-
--prng
Removed in OpenVPN 2.6. We now always use the PRNG of the SSL library.
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1428?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newchange
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I1d1851eaebe8bf66c92dac3c8c10f68b1ec3ef33
Gerrit-Change-Number: 1428
Gerrit-PatchSet: 1
Gerrit-Owner: flichtenheld <[email protected]>
Gerrit-Reviewer: plaisthos <[email protected]>
Gerrit-CC: openvpn-devel <[email protected]>
Gerrit-Attention: plaisthos <[email protected]>
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
