cron2 has uploaded a new patch set (#2) to the change originally created by 
plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/859?usp=email )

The following approvals got outdated and were removed:
Code-Review+2 by flichtenheld


Change subject: Improve peer fingerprint documentation
......................................................................

Improve peer fingerprint documentation

- fix typo in peer-fingerprint
- use ec_paramgen_curve instead of requiring a subshell

Note: we still use -nodes instead of -noenc as it is more compatible.

Github: closes OpenVPN/openvpn#666

Change-Id: I9a12a0c127908af9f09d88fb3a493df3763d0cc5
Signed-off-by: Arne Schwabe <a...@rfc2549.org>
Acked-by: Frank Lichtenheld <fr...@lichtenheld.com>
Message-Id: <20250114134909.31334-1-fr...@lichtenheld.com>
URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30447.html
Signed-off-by: Gert Doering <g...@greenie.muc.de>
---
M doc/man-sections/example-fingerprint.rst
1 file changed, 10 insertions(+), 4 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/59/859/2

diff --git a/doc/man-sections/example-fingerprint.rst 
b/doc/man-sections/example-fingerprint.rst
index 7cdda19..31ca0c1 100644
--- a/doc/man-sections/example-fingerprint.rst
+++ b/doc/man-sections/example-fingerprint.rst
@@ -18,7 +18,7 @@
 2. Generate a self-signed certificate for the server:
    ::

-    openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -keyout 
server.key -out server.crt -nodes -sha256 -days 3650 -subj '/CN=server'
+    openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 -keyout 
server.key -out server.crt -nodes -sha256 -days 3650 -subj '/CN=server'

 3. Generate SHA256 fingerprint of the server certificate

@@ -28,7 +28,7 @@

     openssl x509 -fingerprint -sha256 -in server.crt -noout

-   This output something similar to:
+   This outputs something similar to:
    ::

      SHA256 
Fingerprint=00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff
@@ -64,6 +64,12 @@
     # Ping every 60s, restart if no data received for 5 minutes
     keepalive 60 300

+    # Uncomment the line below if you want to have persistent IP addresses
+    # ifconfig-pool-persist  /etc/openvpn/server/ipp.txt
+
+    # Uncomment the line below to push a DNS server to clients
+    # push "dhcp-option DNS 1.1.1.1"
+
 5. Add at least one client as described in the client section.

 6. Start the server.
@@ -85,7 +91,7 @@
    different name for each client.
    ::

-      openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -nodes 
-sha256 -days 3650 -subj '/CN=alice'
+      openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 
-keyout - -nodes -sha256 -days 3650 -subj '/CN=alice'

    This generate a certificate and a key for the client. The output of the 
command will look
    something like this:
@@ -162,7 +168,7 @@
       <peer-fingerprint>
       
ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00:ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00
       
99:88:77:66:55:44:33:22:11:00:ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00:88:77:66:55:44:33
-      </peer-fingperint>
+      </peer-fingerprint>

 6. (optional) if the client is an older client that does not support the
    :code:`peer-fingerprint` (e.g. OpenVPN 2.5 and older, OpenVPN Connect 3.3

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/859?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I9a12a0c127908af9f09d88fb3a493df3763d0cc5
Gerrit-Change-Number: 859
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos <arne-open...@rfc2549.org>
Gerrit-Reviewer: flichtenheld <fr...@lichtenheld.com>
Gerrit-CC: openvpn-devel <openvpn-devel@lists.sourceforge.net>
Gerrit-MessageType: newpatchset
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to