Browse code
Add bracket in fingerprint message and do not warn about missing verification
Github: fixes OpenVPN/openvpn#516
Change-Id: Ia73d53002f4ba2658af18c17cce1b68f79de5781
Signed-off-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240326103853.494572-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28474.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 4b95656536be1f402a55ef5dffe140fa78e7eb51)
Arne Schwabe authored on 2024/03/26 19:38:53Showing 2 changed files
| ... | ... |
@@ -3632,7 +3632,8 @@ do_option_warnings(struct context *c) |
| 3632 | 3632 |
&& !o->tls_verify |
| 3633 | 3633 |
&& o->verify_x509_type == VERIFY_X509_NONE |
| 3634 | 3634 |
&& !(o->ns_cert_type & NS_CERT_CHECK_SERVER) |
| 3635 |
- && !o->remote_cert_eku) |
|
| 3635 |
+ && !o->remote_cert_eku |
|
| 3636 |
+ && !(o->verify_hash_depth == 0 && o->verify_hash)) |
|
| 3636 | 3637 |
{
|
| 3637 | 3638 |
msg(M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info."); |
| 3638 | 3639 |
} |
| ... | ... |
@@ -718,8 +718,8 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep |
| 718 | 718 |
const char *hex_fp = format_hex_ex(BPTR(&cert_fp), BLEN(&cert_fp), |
| 719 | 719 |
0, 1, ":", &gc); |
| 720 | 720 |
msg(D_TLS_ERRORS, "TLS Error: --tls-verify/--peer-fingerprint" |
| 721 |
- "certificate hash verification failed. (got " |
|
| 722 |
- "fingerprint: %s", hex_fp); |
|
| 721 |
+ "certificate hash verification failed. (got certificate " |
|
| 722 |
+ "fingerprint: %s)", hex_fp); |
|
| 723 | 723 |
goto cleanup; |
| 724 | 724 |
} |
| 725 | 725 |
} |