From: Arne Schwabe <a...@rfc2549.org> - fix typo in peer-fingerprint - use ec_paramgen_curve instead of requiring a subshell
Note: we still use -nodes instead of -noenc as it is more compatible. closes: issue #666 Change-Id: I9a12a0c127908af9f09d88fb3a493df3763d0cc5 Signed-off-by: Arne Schwabe <a...@rfc2549.org> Acked-by: Frank Lichtenheld <fr...@lichtenheld.com> --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/859 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld <fr...@lichtenheld.com> diff --git a/doc/man-sections/example-fingerprint.rst b/doc/man-sections/example-fingerprint.rst index 7cdda19..31ca0c1 100644 --- a/doc/man-sections/example-fingerprint.rst +++ b/doc/man-sections/example-fingerprint.rst @@ -18,7 +18,7 @@ 2. Generate a self-signed certificate for the server: :: - openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -keyout server.key -out server.crt -nodes -sha256 -days 3650 -subj '/CN=server' + openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 -keyout server.key -out server.crt -nodes -sha256 -days 3650 -subj '/CN=server' 3. Generate SHA256 fingerprint of the server certificate @@ -28,7 +28,7 @@ openssl x509 -fingerprint -sha256 -in server.crt -noout - This output something similar to: + This outputs something similar to: :: SHA256 Fingerprint=00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff @@ -64,6 +64,12 @@ # Ping every 60s, restart if no data received for 5 minutes keepalive 60 300 + # Uncomment the line below if you want to have persistent IP addresses + # ifconfig-pool-persist /etc/openvpn/server/ipp.txt + + # Uncomment the line below to push a DNS server to clients + # push "dhcp-option DNS 1.1.1.1" + 5. Add at least one client as described in the client section. 6. Start the server. @@ -85,7 +91,7 @@ different name for each client. :: - openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -nodes -sha256 -days 3650 -subj '/CN=alice' + openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 -keyout - -nodes -sha256 -days 3650 -subj '/CN=alice' This generate a certificate and a key for the client. The output of the command will look something like this: @@ -162,7 +168,7 @@ <peer-fingerprint> ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00:ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00 99:88:77:66:55:44:33:22:11:00:ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00:88:77:66:55:44:33 - </peer-fingperint> + </peer-fingerprint> 6. (optional) if the client is an older client that does not support the :code:`peer-fingerprint` (e.g. OpenVPN 2.5 and older, OpenVPN Connect 3.3 _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel