mirror of
https://github.com/OpenVPN/openvpn.git
synced 2024-09-20 03:52:28 +02:00
Remove --client-cert-not-required
This removes support for the --client-cert-not-required option. To avoid starting a server with this option just ignored, which would make it impossible for existing clients to connect it will exit with instructions to replace this option with --verify-client-cert none. Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20200720113010.10450-1-davids@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20502.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
This commit is contained in:
parent
2d5facaa5f
commit
08469ca1ec
@ -38,6 +38,10 @@ https://community.openvpn.net/openvpn/wiki/DeprecatedOptions
|
||||
This option was made into a NOOP option with OpenVPN 2.4. This has now
|
||||
been completely removed.
|
||||
|
||||
- ``--client-cert-not-required`` has been removed
|
||||
This option will now cause server configurations to not start. Use
|
||||
``--verify-client-cert none`` instead.
|
||||
|
||||
- ``--ifconfig-pool-linear`` has been removed
|
||||
This option is removed. Use ``--topology p2p`` instead.
|
||||
|
||||
|
@ -441,8 +441,6 @@ static const char usage_message[] =
|
||||
" Only valid in a client-specific config file.\n"
|
||||
"--disable : Client is disabled.\n"
|
||||
" Only valid in a client-specific config file.\n"
|
||||
"--client-cert-not-required : (DEPRECATED) Don't require client certificate, client\n"
|
||||
" will authenticate using username/password.\n"
|
||||
"--verify-client-cert [none|optional|require] : perform no, optional or\n"
|
||||
" mandatory client certificate verification.\n"
|
||||
" Default is to require the client to supply a certificate.\n"
|
||||
@ -2470,7 +2468,7 @@ options_postprocess_verify_ce(const struct options *options, const struct connec
|
||||
}
|
||||
if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL))
|
||||
{
|
||||
msg(M_USAGE, "--client-cert-not-required and --verify-client-cert require --mode server");
|
||||
msg(M_USAGE, "--verify-client-cert requires --mode server");
|
||||
}
|
||||
if (options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME)
|
||||
{
|
||||
@ -2543,7 +2541,7 @@ options_postprocess_verify_ce(const struct options *options, const struct connec
|
||||
if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL))
|
||||
{
|
||||
msg(M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
|
||||
"--verify-client-cert none|optional (or --client-cert-not-required) "
|
||||
"--verify-client-cert none|optional "
|
||||
"may accept clients which do not present a certificate");
|
||||
}
|
||||
|
||||
@ -6938,8 +6936,7 @@ add_option(struct options *options,
|
||||
else if (streq(p[0], "client-cert-not-required") && !p[1])
|
||||
{
|
||||
VERIFY_PERMISSION(OPT_P_GENERAL);
|
||||
options->ssl_flags |= SSLF_CLIENT_CERT_NOT_REQUIRED;
|
||||
msg(M_WARN, "DEPRECATED OPTION: --client-cert-not-required, use --verify-client-cert instead");
|
||||
msg(M_FATAL, "REMOVED OPTION: --client-cert-not-required, use '--verify-client-cert none' instead");
|
||||
}
|
||||
else if (streq(p[0], "verify-client-cert") && !p[2])
|
||||
{
|
||||
|
@ -60,7 +60,7 @@ is to be answered with the constant value "mydomain.com":
|
||||
The following OpenVPN directives can also influence
|
||||
the operation of this plugin:
|
||||
|
||||
client-cert-not-required
|
||||
verify-client-cert none
|
||||
username-as-common-name
|
||||
static-challenge
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user