On 12-04-17 13:35, Steffan Karger wrote: > Version 2.4.1 > ============= > - - ``--remote-cert-ku`` now only requires the certificate to have at least > the > - bits set of one of the values in the supplied list, instead of requiring > an > - exact match to one of the values in the list. > - - ``--remote-cert-tls`` now only requires that a keyUsage is present in the > - certificate, and leaves the verification of the value up to the crypto > - library, which has more information (i.e. the key exchange method in use) > - to verify that the keyUsage is correct. > - - ``--ns-cert-type`` is deprecated. Use ``--remote-cert-tls`` instead. > - The nsCertType x509 extension is very old, and barely used. > - ``--remote-cert-tls`` uses the far more common keyUsage and > extendedKeyUsage > - extension instead. Make sure your certificates carry these to be able to > - use ``--remote-cert-tls``. > +- ``--remote-cert-ku`` now only requires the certificate to have at least the > + bits set of one of the values in the supplied list, instead of requiring an > + exact match to one of the values in the list. > +- ``--remote-cert-tls`` now only requires that a keyUsage is present in the > + certificate, and leaves the verification of the value up to the crypto > + library, which has more information (i.e. the key exchange method in use) > + to verify that the keyUsage is correct. > +- ``--ns-cert-type`` is deprecated. Use ``--remote-cert-tls`` instead. > + The nsCertType x509 extension is very old, and barely used. > + ``--remote-cert-tls`` uses the far more common keyUsage and > extendedKeyUsage > + extension instead. Make sure your certificates carry these to be able to > + use ``--remote-cert-tls``. > +- The new option ``--tls-cert-profile`` can be used to restrict the set of > + allowed crypto algorithms in TLS certificates in mbed TLS builds. The > + 'legacy' profile can be used to re-enable support for SHA1 and 1024-bit RSA > + keys.
Hrmpf, this should of course get a new section '2.4.2'... Let me know if you want a v3, or whether this can be fixed on-the-fly. Apologies! -Steffan ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
