summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
Diffstat (limited to 'doc')
-rw-r--r--doc/Makefile.in3
-rw-r--r--doc/openvpn.818
2 files changed, 12 insertions, 9 deletions
diff --git a/doc/Makefile.in b/doc/Makefile.in
index 11d3d54..16a7be4 100644
--- a/doc/Makefile.in
+++ b/doc/Makefile.in
@@ -292,9 +292,6 @@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@
TEST_CFLAGS = @TEST_CFLAGS@
TEST_LDFLAGS = @TEST_LDFLAGS@
TMPFILES_DIR = @TMPFILES_DIR@
-VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@
-VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@
-VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@
VERSION = @VERSION@
abs_builddir = @abs_builddir@
abs_srcdir = @abs_srcdir@
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 7801701..1662006 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -4625,11 +4625,8 @@ they are distributed with OpenVPN, they are totally insecure.
Directory containing trusted certificates (CAs and CRLs).
Not available with mbed TLS.
-When using the
-.B \-\-capath
-option, you are required to supply valid CRLs for the CAs too. CAs in the
-capath directory are expected to be named <hash>.<n>. CRLs are expected to
-be named <hash>.r<n>. See the
+CAs in the capath directory are expected to be named <hash>.<n>. CRLs are
+expected to be named <hash>.r<n>. See the
.B \-CApath
option of
.B openssl verify
@@ -4640,6 +4637,11 @@ option of
and
.B openssl crl
for more information.
+
+Similarly to the
+.B \-\-crl\-verify
+option CRLs are not mandatory \- OpenVPN will log the usual warning in the logs
+if the relevant CRL is missing, but the connection will be allowed.
.\"*********************************************************
.TP
.B \-\-dh file
@@ -5374,7 +5376,7 @@ is executed two arguments are appended after any arguments specified in
.B cmd certificate_depth subject
These arguments are, respectively, the current certificate depth and
-the X509 common name (cn) of the peer.
+the X509 subject distinguished name (dn) of the peer.
This feature is useful if the peer you want to trust has a certificate
which was signed by a certificate authority who also signed many
@@ -5611,6 +5613,10 @@ overall integrity of the PKI.
The only time when it would be necessary to rebuild the entire PKI from scratch would be
if the root certificate key itself was compromised.
+The option is not mandatory \- if the relevant CRL is missing, OpenVPN will log
+a warning in the logs \- e.g. "\fIVERIFY WARNING: depth=0, unable to get
+certificate CRL\fR" \- but the connection will be allowed.
+
If the optional
.B dir
flag is specified, enable a different mode where