The grammar in the 3rd sentence in the comment below is messed up. (I think I understand it, but I'm not sure.)
> + if (session->opt->verify_hash_no_ca) > + { > + /* > + * If we decide to verify the peer certificate based on the > fingerprint > + * we ignore wrong dates and the certificate not being trusted. > + * Any other problem with the certificate (wrong key, bad cert,...) > + * will still trigger an error. > + * Clearing these flags relies on verify_cert will later rejecting a > + * certificate that has no matching fingerprint. > + */ > + uint32_t flags_ignore = MBEDTLS_X509_BADCERT_NOT_TRUSTED > + | MBEDTLS_X509_BADCERT_EXPIRED > + | MBEDTLS_X509_BADCERT_FUTURE; > + *flags = *flags & ~flags_ignore; > + } > + Also, this comment is copied verbatim from Jason's commit 423ced962d which has been reverted. I'm not a lawyer, but since comments are relatively easy to rephrase, I think it's better to do that. My suggestion: /* * If we verify the peer certificate based only on the fingerprint, * we ignore flags regarding the certificate's validity period and * the certificate being untrusted (because we don't have a CA to * check against). * Any other flags will still trigger an error. * * If the certificate's fingerprint doesn't match, it will be rejected * by verify_cert later. */ _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel