cron2 has uploaded a new patch set (#2) to the change originally created by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/859?usp=email )
The following approvals got outdated and were removed: Code-Review+2 by flichtenheld Change subject: Improve peer fingerprint documentation ...................................................................... Improve peer fingerprint documentation - fix typo in peer-fingerprint - use ec_paramgen_curve instead of requiring a subshell Note: we still use -nodes instead of -noenc as it is more compatible. Github: closes OpenVPN/openvpn#666 Change-Id: I9a12a0c127908af9f09d88fb3a493df3763d0cc5 Signed-off-by: Arne Schwabe <a...@rfc2549.org> Acked-by: Frank Lichtenheld <fr...@lichtenheld.com> Message-Id: <20250114134909.31334-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30447.html Signed-off-by: Gert Doering <g...@greenie.muc.de> --- M doc/man-sections/example-fingerprint.rst 1 file changed, 10 insertions(+), 4 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/59/859/2 diff --git a/doc/man-sections/example-fingerprint.rst b/doc/man-sections/example-fingerprint.rst index 7cdda19..31ca0c1 100644 --- a/doc/man-sections/example-fingerprint.rst +++ b/doc/man-sections/example-fingerprint.rst @@ -18,7 +18,7 @@ 2. Generate a self-signed certificate for the server: :: - openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -keyout server.key -out server.crt -nodes -sha256 -days 3650 -subj '/CN=server' + openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 -keyout server.key -out server.crt -nodes -sha256 -days 3650 -subj '/CN=server' 3. Generate SHA256 fingerprint of the server certificate @@ -28,7 +28,7 @@ openssl x509 -fingerprint -sha256 -in server.crt -noout - This output something similar to: + This outputs something similar to: :: SHA256 Fingerprint=00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff @@ -64,6 +64,12 @@ # Ping every 60s, restart if no data received for 5 minutes keepalive 60 300 + # Uncomment the line below if you want to have persistent IP addresses + # ifconfig-pool-persist /etc/openvpn/server/ipp.txt + + # Uncomment the line below to push a DNS server to clients + # push "dhcp-option DNS 1.1.1.1" + 5. Add at least one client as described in the client section. 6. Start the server. @@ -85,7 +91,7 @@ different name for each client. :: - openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -nodes -sha256 -days 3650 -subj '/CN=alice' + openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 -keyout - -nodes -sha256 -days 3650 -subj '/CN=alice' This generate a certificate and a key for the client. The output of the command will look something like this: @@ -162,7 +168,7 @@ <peer-fingerprint> ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00:ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00 99:88:77:66:55:44:33:22:11:00:ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00:88:77:66:55:44:33 - </peer-fingperint> + </peer-fingerprint> 6. (optional) if the client is an older client that does not support the :code:`peer-fingerprint` (e.g. OpenVPN 2.5 and older, OpenVPN Connect 3.3 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/859?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I9a12a0c127908af9f09d88fb3a493df3763d0cc5 Gerrit-Change-Number: 859 Gerrit-PatchSet: 2 Gerrit-Owner: plaisthos <arne-open...@rfc2549.org> Gerrit-Reviewer: flichtenheld <fr...@lichtenheld.com> Gerrit-CC: openvpn-devel <openvpn-devel@lists.sourceforge.net> Gerrit-MessageType: newpatchset
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
