As kitsune1 mentioned in IRC, this section should explain that
"--tls-crypt-v2-genkey client" requires the user to supply the server
key using "--tls-crypt-v2".
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <1540981377-22752-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17865.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -5314,6 +5314,11 @@ If no metadata is supplied, OpenVPN will use a 64\-bit unix timestamp |
5314 | 5314 |
representing the current time in UTC, encoded in network order, as metadata for |
5315 | 5315 |
the generated key. |
5316 | 5316 |
|
5317 |
+A tls\-crypt\-v2 client key is wrapped using a server key. To generate a |
|
5318 |
+client key, the user must therefore supply the server key using the |
|
5319 |
+.B \-\-tls\-crypt\-v2 |
|
5320 |
+option. |
|
5321 |
+ |
|
5317 | 5322 |
Servers can use |
5318 | 5323 |
.B \-\-tls\-crypt\-v2\-verify |
5319 | 5324 |
to specify a metadata verification command. |