Hi, On Thu, Mar 02, 2017 at 09:36:32PM +0100, Steffan Karger wrote: > So, what I propose instead is: > * remove all the nsCertType code (except the option in add_option()) > * update the help strings and man page to indicate that --ns-cert-type > is no longer supported and --remote-cert-tls should be used instead > * in add_option(), if the option is enabled in a config file, act as if > --remote-cert-tls was specified correspondingly, and print a clear > warning that --ns-cert-type is no longer supported and stricter checks > are enabled instead.
Mmmmh. Is there a way to get the old behaviour with OpenSSL 1.1?
We decided that we do want 1.1 compatibility in release/2.4, but what
you propose might break people's working config when upgrading from 2.4.1
to 2.4.2 - bad enough if we make mistakes, but if there is an alternative
to consciously changing cert validation behaviour in the middle of a
release train, we should look again...
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
