GitList

Browse code

Deprecate --ns-cert-type

The nsCertType x509 extension is very old, and barely used. We already
have had an alternative for a long time: --remote-cert-tls uses the far
more common keyUsage and extendedKeyUsage extensions instead.

OpenSSL 1.1 longer exposes an API to (separately) check the nsCertType x509
extension. Since we want be able to migrate to OpenSSL 1.1, we should
deprecate this option immediately.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1488653397-2309-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14222.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

Steffan Karger authored on 2017/03/05 03:49:57
Showing 5 changed files

Changes.rst index 7ffd89e..0af29e3 100644
doc/openvpn.8 index e3d603e..f6822ec 100644
src/openvpn/init.c index 7da0061..0b74f25 100644
src/openvpn/options.c index 17bf5a4..58cb10e 100644
tests/t_client.rc-sample index 4fdea48..355e8bb 100644

Changes.rst

History View file @ 2dc3322

@@ -1,5 +1,5 @@
                     -Version 2.4.0
                     -=============
                     +Overview of changes in 2.4
                     +==========================
                      New features
@@ -302,3 +302,12 @@ Maintainer-visible changes
                        header combinations.  In most of these situations it is recommended to
                        use -std=gnu99 in CFLAGS.  This is known to be needed when doing
                        i386/i686 builds on RHEL5.
+                    +
+                    +
                     +Version 2.4.1
                     +=============
                     + - ``--ns-cert-type`` is deprecated.  Use ``--remote-cert-tls`` instead.
                     +   The nsCertType x509 extension is very old, and barely used.
                     +   ``--remote-cert-tls`` uses the far more common keyUsage and extendedKeyUsage
                     +   extension instead.  Make sure your certificates carry these to be able to
                     +   use ``--remote-cert-tls``.

doc/openvpn.8

History View file @ 2dc3322

@@ -327,7 +327,7 @@ http\-proxy 192.168.0.8 8080
                      persist\-key
                      persist\-tun
                      pkcs12 client.p12
                     -ns\-cert\-type server
                     +remote\-cert\-tls server
                      verb 3
                      .in -4
                      .ft
@@ -5313,7 +5313,11 @@ as X509_<depth>_<attribute>=<value>.  Multiple
                      options can be defined to track multiple attributes.
                      .\"*********************************************************
                      .TP
                     -.B \-\-ns\-cert\-type client|server
                     +.B \-\-ns\-cert\-type client|server (DEPRECATED)
                     +This option is deprecated.  Use the more modern equivalent
                     +.B \-\-remote\-cert\-tls
                     +instead.  This option will be removed in OpenVPN 2.5.
+                    +
                      Require that peer certificate was signed with an explicit
                      .B nsCertType
                      designation of "client" or "server".

src/openvpn/init.c

History View file @ 2dc3322

@@ -2986,6 +2986,10 @@ do_option_warnings(struct context *c)
+                         {
                              msg(M_WARN, "WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.");
+                         }
                     +    if (o->ns_cert_type)
                     +    {
                     +        msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.");
                     +    }
                      #endif /* ifdef ENABLE_CRYPTO */
                          /* If a script is used, print appropiate warnings */

src/openvpn/options.c

History View file @ 2dc3322

@@ -635,8 +635,8 @@ static const char usage_message[] =
                          "--verify-x509-name name: Accept connections only from a host with X509 subject\n"
                          "                  DN name. The remote host must also pass all other tests\n"
                          "                  of verification.\n"
                     -    "--ns-cert-type t: Require that peer certificate was signed with an explicit\n"
                     -    "                  nsCertType designation t = 'client' | 'server'.\n"
                     +    "--ns-cert-type t: (DEPRECATED) Require that peer certificate was signed with \n"
                     +    "                  an explicit nsCertType designation t = 'client' | 'server'.\n"
                          "--x509-track x  : Save peer X509 attribute x in environment for use by\n"
                          "                  plugins and management interface.\n"
                      #if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000

tests/t_client.rc-sample

History View file @ 2dc3322

@@ -40,7 +40,7 @@ TEST_RUN_LIST="1 2"
 #
 OPENVPN_BASE_P2MP="--client --ca $CA_CERT \
 	--cert $CLIENT_CERT --key $CLIENT_KEY \
-	--ns-cert-type server --nobind --comp-lzo --verb 3"
+	--remote-cert-tls server --nobind --comp-lzo --verb 3"
 
 # base config for p2p tests
 #

...	...	@@ -40,7 +40,7 @@ TEST_RUN_LIST="1 2"
40	40	#
41	41	OPENVPN_BASE_P2MP="--client --ca $CA_CERT \
42	42	--cert $CLIENT_CERT --key $CLIENT_KEY \
43		- --ns-cert-type server --nobind --comp-lzo --verb 3"
	43	+ --remote-cert-tls server --nobind --comp-lzo --verb 3"
44	44
45	45	# base config for p2p tests
46	46	#