summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorJörg Frings-Fürst <debian@jff-webhosting.net>2017-06-27 13:56:16 +0200
committerJörg Frings-Fürst <debian@jff-webhosting.net>2017-06-27 13:56:16 +0200
commit749384a154025e268b53cf3cc79eaeddde2b3ceb (patch)
tree27baa9e6aec76635d750405d90cd461440a656d1 /doc
parentdb4f04c584f7d4e828b5d317cf40962b9d854ac5 (diff)
initial stretch branch release 2.4.0-6
Diffstat (limited to 'doc')
-rw-r--r--doc/Makefile.in30
-rw-r--r--doc/openvpn.8128
2 files changed, 34 insertions, 124 deletions
diff --git a/doc/Makefile.in b/doc/Makefile.in
index fad3a11..b0998a0 100644
--- a/doc/Makefile.in
+++ b/doc/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.15 from Makefile.am.
+# Makefile.in generated by automake 1.13.4 from Makefile.am.
# @configure_input@
-# Copyright (C) 1994-2014 Free Software Foundation, Inc.
+# Copyright (C) 1994-2013 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -26,17 +26,7 @@
#
VPATH = @srcdir@
-am__is_gnu_make = { \
- if test -z '$(MAKELEVEL)'; then \
- false; \
- elif test -n '$(MAKE_HOST)'; then \
- true; \
- elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
- true; \
- else \
- false; \
- fi; \
-}
+am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
am__make_running_with_option = \
case $${target_option-} in \
?) ;; \
@@ -101,6 +91,8 @@ build_triplet = @build@
host_triplet = @host@
@WIN32_TRUE@am__append_1 = openvpn.8
subdir = doc
+DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
+ $(dist_man_MANS) $(dist_doc_DATA) $(am__dist_noinst_DATA_DIST)
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \
$(top_srcdir)/m4/ax_socklen_t.m4 \
@@ -111,8 +103,6 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \
$(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
-DIST_COMMON = $(srcdir)/Makefile.am $(dist_doc_DATA) \
- $(am__dist_noinst_DATA_DIST) $(am__DIST_COMMON)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h \
$(top_builddir)/include/openvpn-plugin.h
@@ -172,7 +162,6 @@ MANS = $(dist_man_MANS)
am__dist_noinst_DATA_DIST = README.plugins openvpn.8
DATA = $(dist_doc_DATA) $(dist_noinst_DATA) $(nodist_html_DATA)
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
-am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
@@ -221,7 +210,6 @@ LIBTOOL = @LIBTOOL@
LIPO = @LIPO@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
-LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
LZ4_CFLAGS = @LZ4_CFLAGS@
LZ4_LIBS = @LZ4_LIBS@
LZO_CFLAGS = @LZO_CFLAGS@
@@ -270,7 +258,6 @@ PKCS11_HELPER_LIBS = @PKCS11_HELPER_LIBS@
PKG_CONFIG = @PKG_CONFIG@
PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
-PLUGINDIR = @PLUGINDIR@
PLUGIN_AUTH_PAM_CFLAGS = @PLUGIN_AUTH_PAM_CFLAGS@
PLUGIN_AUTH_PAM_LIBS = @PLUGIN_AUTH_PAM_LIBS@
RANLIB = @RANLIB@
@@ -283,14 +270,12 @@ SHELL = @SHELL@
SOCKETS_LIBS = @SOCKETS_LIBS@
STRIP = @STRIP@
SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@
-SYSTEMD_UNIT_DIR = @SYSTEMD_UNIT_DIR@
TAP_CFLAGS = @TAP_CFLAGS@
TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@
TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@
TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@
TEST_CFLAGS = @TEST_CFLAGS@
TEST_LDFLAGS = @TEST_LDFLAGS@
-TMPFILES_DIR = @TMPFILES_DIR@
VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@
VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@
VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@
@@ -347,9 +332,7 @@ sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
-systemdunitdir = @systemdunitdir@
target_alias = @target_alias@
-tmpfilesdir = @tmpfilesdir@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
@@ -378,6 +361,7 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign doc/Makefile'; \
$(am__cd) $(top_srcdir) && \
$(AUTOMAKE) --foreign doc/Makefile
+.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
*config.status*) \
@@ -648,8 +632,6 @@ uninstall-man: uninstall-man8
ps ps-am tags-am uninstall uninstall-am uninstall-dist_docDATA \
uninstall-man uninstall-man8 uninstall-nodist_htmlDATA
-.PRECIOUS: Makefile
-
@WIN32_TRUE@openvpn.8.html: $(srcdir)/openvpn.8
@WIN32_TRUE@ $(MAN2HTML) < $(srcdir)/openvpn.8 > openvpn.8.html
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 56c0f7a..7bd6d9d 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -15,9 +15,10 @@
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
.\" GNU General Public License for more details.
.\"
-.\" You should have received a copy of the GNU General Public License along
-.\" with this program; if not, write to the Free Software Foundation, Inc.,
-.\" 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program (see the file COPYING included with this
+.\" distribution); if not, write to the Free Software Foundation, Inc.,
+.\" 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
.\"
.\" Manual page for openvpn
.\"
@@ -326,7 +327,7 @@ http\-proxy 192.168.0.8 8080
persist\-key
persist\-tun
pkcs12 client.p12
-remote\-cert\-tls server
+ns\-cert\-type server
verb 3
.in -4
.ft
@@ -2711,34 +2712,6 @@ to the module initialization function. Multiple
plugin modules may be loaded into one OpenVPN
process.
-The
-.B module-pathname
-argument can be just a filename or a filename with a relative
-or absolute path. The format of the filename and path defines
-if the plug-in will be loaded from a default plug-in directory
-or outside this directory.
-
-.nf
-.ft 3
-.in +4
-.B \-\-plugin path\ \ \ \ \ \ \ \ Effective directory used
-====================================================
- myplug.so DEFAULT_DIR/myplug.so
- subdir/myplug.so DEFAULT_DIR/subdir/myplug.so
- ./subdir/myplug.so CWD/subdir/myplug.so
- /usr/lib/my/plug.so /usr/lib/my/plug.so
-.in -4
-.fi
-
-DEFAULT_DIR is replaced by the default plug-in directory,
-which is configured at the build time of OpenVPN. CWD is the
-current directory where OpenVPN was started or the directory
-OpenVPN have swithed into via the
-.B \-\-cd
-option before the
-.B \-\-plugin
-option.
-
For more information and examples on how to build OpenVPN
plug-in modules, see the README file in the
.B plugin
@@ -3996,8 +3969,9 @@ See management\-notes.txt in the OpenVPN distribution for a
description of the OpenVPN challenge/response protocol.
.\"*********************************************************
.TP
-\fB\-\-server\-poll\-timeout n\fR, \fB\-\-connect\-timeout n\fR
-When connecting to a remote server do not wait for more than
+.B \-\-server\-poll\-timeout n
+.B \-\-connect\-timeout n
+when connecting to a remote server do not wait for more than
.B n
seconds waiting for a response before trying the next server.
The default value is 120s. This timeout includes proxy and TCP
@@ -4694,27 +4668,15 @@ and
Not available with PolarSSL.
.\"*********************************************************
.TP
-.B \-\-verify\-hash hash [algo]
-Specify SHA1 or SHA256 fingerprint for level-1 cert. The level-1 cert is the
+.B \-\-verify\-hash hash
+Specify SHA1 fingerprint for level-1 cert. The level-1 cert is the
CA (or intermediate cert) that signs the leaf certificate, and is
one removed from the leaf certificate in the direction of the root.
When accepting a connection from a peer, the level-1 cert
fingerprint must match
.B hash
or certificate verification will fail. Hash is specified
-as XX:XX:... For example:
-
-.nf
-.ft 3
-.in +4
-AD:B0:95:D8:09:C8:36:45:12:A9:89:C8:90:09:CB:13:72:A6:AD:16
-.in -4
-.ft
-.fi
-
-The
-.B algo
-flag can be either SHA1 or SHA256. If not provided, it defaults to SHA1.
+as XX:XX:... For example: AD:B0:95:D8:09:C8:36:45:12:A9:89:C8:90:09:CB:13:72:A6:AD:16
.\"*********************************************************
.TP
.B \-\-pkcs11\-cert\-private [0|1]...
@@ -5102,29 +5064,6 @@ In contrast to
.B \-\-tls\-crypt
does *not* require the user to set
.B \-\-key\-direction\fR.
-
-.B Security Considerations
-
-All peers use the same
-.B \-\-tls-crypt
-pre-shared group key to authenticate and encrypt control channel messages. To
-ensure that IV collisions remain unlikely, this key should not be used to
-encrypt more than 2^48 client-to-server or 2^48 server-to-client control
-channel messages. A typical initial negotiation is about 10 packets in each
-direction. Assuming both initial negotiation and renegotiations are at most
-2^16 (65536) packets (to be conservative), and (re)negotiations happen each
-minute for each user (24/7), this limits the tls\-crypt key lifetime to 8171
-years divided by the number of users. So a setup with 1000 users should rotate
-the key at least once each eight years. (And a setup with 8000 users each
-year.)
-
-If IV collisions were to occur, this could result in the security of
-.B \-\-tls\-crypt
-degrading to the same security as using
-.B \-\-tls\-auth\fR.
-That is, the control channel still benefits from the extra protection against
-active man-in-the-middle-attacks and DoS attacks, but may no longer offer
-extra privacy and post-quantum security on top of what TLS itself offers.
.\"*********************************************************
.TP
.B \-\-askpass [file]
@@ -5308,8 +5247,6 @@ option will match against the chosen
.B fieldname
instead of the Common Name.
-Only the subjectAltName and issuerAltName X.509 extensions are supported.
-
.B Please note:
This option has a feature which will convert an all-lowercase
.B fieldname
@@ -5377,11 +5314,7 @@ as X509_<depth>_<attribute>=<value>. Multiple
options can be defined to track multiple attributes.
.\"*********************************************************
.TP
-.B \-\-ns\-cert\-type client|server (DEPRECATED)
-This option is deprecated. Use the more modern equivalent
-.B \-\-remote\-cert\-tls
-instead. This option will be removed in OpenVPN 2.5.
-
+.B \-\-ns\-cert\-type client|server
Require that peer certificate was signed with an explicit
.B nsCertType
designation of "client" or "server".
@@ -5408,25 +5341,15 @@ or
.B \-\-tls\-verify.
.\"*********************************************************
.TP
-.B \-\-remote\-cert\-ku [v...]
+.B \-\-remote\-cert\-ku v...
Require that peer certificate was signed with an explicit
.B key usage.
-If present in the certificate, the keyUsage value is validated by the TLS
-library during the TLS handshake. Specifying this option without arguments
-requires this extension to be present (so the TLS library will verify it).
-
-If the list
-.B v...
-is also supplied, the keyUsage field must have
-.B at least
-the same bits set as the bits in
-.B one of
-the values supplied in the list
-.B v...
+This is a useful security option for clients, to ensure that
+the host they connect to is a designated server.
-The key usage values in the list must be encoded in hex, e.g.
-"\-\-remote\-cert\-ku a0"
+The key usage should be encoded in hex, more than one key
+usage can be specified.
.\"*********************************************************
.TP
.B \-\-remote\-cert\-eku oid
@@ -5447,21 +5370,24 @@ and
.B extended key usage
based on RFC3280 TLS rules.
-This is a useful security option for clients, to ensure that the host they
-connect to is a designated server. Or the other way around; for a server to
-verify that only hosts with a client certificate can connect.
+This is a useful security option for clients, to ensure that
+the host they connect to is a designated server.
The
.B \-\-remote\-cert\-tls client
option is equivalent to
.B
-\-\-remote\-cert\-ku \-\-remote\-cert\-eku "TLS Web Client Authentication"
+\-\-remote\-cert\-ku 80 08 88 \-\-remote\-cert\-eku "TLS Web Client Authentication"
+
+The key usage is digitalSignature and/or keyAgreement.
The
.B \-\-remote\-cert\-tls server
option is equivalent to
.B
-\-\-remote\-cert\-ku \-\-remote\-cert\-eku "TLS Web Server Authentication"
+\-\-remote\-cert\-ku a0 88 \-\-remote\-cert\-eku "TLS Web Server Authentication"
+
+The key usage is digitalSignature and ( keyEncipherment or keyAgreement ).
This is an important security precaution to protect against
a man-in-the-middle attack where an authorized client
@@ -5893,7 +5819,9 @@ flag.
.TP
.B \-\-dhcp\-release
Ask Windows to release the TAP adapter lease on shutdown.
-This option has no effect now, as it is enabled by default starting with version 2.4.1.
+This option has the same caveats as
+.B \-\-dhcp\-renew
+above.
.\"*********************************************************
.TP
.B \-\-register\-dns