Browse code
doc: The CRL processing is not a deprecated feature
The note related to the CRL processing was somehow put into
the deprecated section. This is quite confusing.
Since this is a fairly important change, and there have been
a noticable amount of supports questions related to OpenVPN
not starting due to CRL errors, I put this into the
"New features" section labelled as an improvement. Otherwise
I fear this would drown in the list of "User-visible Changes"
later on.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20170628191538.9135-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14985.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth authored on 2017/06/29 04:15:38Showing 1 changed files
| ... | ... |
@@ -44,6 +44,13 @@ ECDH key exchange |
| 44 | 44 |
The TLS control channel now supports for elliptic curve diffie-hellmann |
| 45 | 45 |
key exchange (ECDH). |
| 46 | 46 |
|
| 47 |
+Improved Certificate Revocation List (CRL) processing |
|
| 48 |
+ CRLs are now handled by the crypto library (OpenSSL or mbed TLS), instead |
|
| 49 |
+ of inside OpenVPN itself. The crypto library implementations are more |
|
| 50 |
+ strict than the OpenVPN implementation was. This might reject peer |
|
| 51 |
+ certificates that would previously be accepted. If this occurs, OpenVPN |
|
| 52 |
+ will log the crypto library's error description. |
|
| 53 |
+ |
|
| 47 | 54 |
Dualstack round-robin DNS client connect |
| 48 | 55 |
Instead of only using the first address of each ``--remote`` OpenVPN |
| 49 | 56 |
will now try all addresses (IPv6 and IPv4) of a ``--remote`` entry. |
| ... | ... |
@@ -160,12 +167,6 @@ Deprecated features |
| 160 | 160 |
will then use ``--key-method 2`` by default. Note that this requires changing |
| 161 | 161 |
the option in both the client and server side configs. |
| 162 | 162 |
|
| 163 |
-- CRLs are now handled by the crypto library (OpenSSL or mbed TLS), instead of |
|
| 164 |
- inside OpenVPN itself. The crypto library implementations are more strict |
|
| 165 |
- than the OpenVPN implementation was. This might reject peer certificates |
|
| 166 |
- that would previously be accepted. If this occurs, OpenVPN will log the |
|
| 167 |
- crypto library's error description. |
|
| 168 |
- |
|
| 169 | 163 |
- ``--tls-remote`` is removed in 2.4, as indicated in the 2.3 man-pages. Similar |
| 170 | 164 |
functionality is provided via ``--verify-x509-name``, which does the same job in |
| 171 | 165 |
a better way. |