The note related to the CRL processing was somehow put into
the deprecated section. This is quite confusing.
Since this is a fairly important change, and there have been
a noticable amount of supports questions related to OpenVPN
not starting due to CRL errors, I put this into the
"New features" section labelled as an improvement. Otherwise
I fear this would drown in the list of "User-visible Changes"
later on.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20170628191538.9135-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14985.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -44,6 +44,13 @@ ECDH key exchange |
44 | 44 |
The TLS control channel now supports for elliptic curve diffie-hellmann |
45 | 45 |
key exchange (ECDH). |
46 | 46 |
|
47 |
+Improved Certificate Revocation List (CRL) processing |
|
48 |
+ CRLs are now handled by the crypto library (OpenSSL or mbed TLS), instead |
|
49 |
+ of inside OpenVPN itself. The crypto library implementations are more |
|
50 |
+ strict than the OpenVPN implementation was. This might reject peer |
|
51 |
+ certificates that would previously be accepted. If this occurs, OpenVPN |
|
52 |
+ will log the crypto library's error description. |
|
53 |
+ |
|
47 | 54 |
Dualstack round-robin DNS client connect |
48 | 55 |
Instead of only using the first address of each ``--remote`` OpenVPN |
49 | 56 |
will now try all addresses (IPv6 and IPv4) of a ``--remote`` entry. |
... | ... |
@@ -160,12 +167,6 @@ Deprecated features |
160 | 160 |
will then use ``--key-method 2`` by default. Note that this requires changing |
161 | 161 |
the option in both the client and server side configs. |
162 | 162 |
|
163 |
-- CRLs are now handled by the crypto library (OpenSSL or mbed TLS), instead of |
|
164 |
- inside OpenVPN itself. The crypto library implementations are more strict |
|
165 |
- than the OpenVPN implementation was. This might reject peer certificates |
|
166 |
- that would previously be accepted. If this occurs, OpenVPN will log the |
|
167 |
- crypto library's error description. |
|
168 |
- |
|
169 | 163 |
- ``--tls-remote`` is removed in 2.4, as indicated in the 2.3 man-pages. Similar |
170 | 164 |
functionality is provided via ``--verify-x509-name``, which does the same job in |
171 | 165 |
a better way. |