From 8a3450ef8682b9085637d7b94afc5c7e6f92e64b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Frings-F=C3=BCrst?= Date: Fri, 10 Apr 2020 23:09:59 +0200 Subject: New upstream version 2.4.8 --- doc/Makefile.in | 3 --- doc/openvpn.8 | 18 ++++++++++++------ 2 files changed, 12 insertions(+), 9 deletions(-) (limited to 'doc') diff --git a/doc/Makefile.in b/doc/Makefile.in index 11d3d54..16a7be4 100644 --- a/doc/Makefile.in +++ b/doc/Makefile.in @@ -292,9 +292,6 @@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ TMPFILES_DIR = @TMPFILES_DIR@ -VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ -VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ -VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 7801701..1662006 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -4625,11 +4625,8 @@ they are distributed with OpenVPN, they are totally insecure. Directory containing trusted certificates (CAs and CRLs). Not available with mbed TLS. -When using the -.B \-\-capath -option, you are required to supply valid CRLs for the CAs too. CAs in the -capath directory are expected to be named .. CRLs are expected to -be named .r. See the +CAs in the capath directory are expected to be named .. CRLs are +expected to be named .r. See the .B \-CApath option of .B openssl verify @@ -4640,6 +4637,11 @@ option of and .B openssl crl for more information. + +Similarly to the +.B \-\-crl\-verify +option CRLs are not mandatory \- OpenVPN will log the usual warning in the logs +if the relevant CRL is missing, but the connection will be allowed. .\"********************************************************* .TP .B \-\-dh file @@ -5374,7 +5376,7 @@ is executed two arguments are appended after any arguments specified in .B cmd certificate_depth subject These arguments are, respectively, the current certificate depth and -the X509 common name (cn) of the peer. +the X509 subject distinguished name (dn) of the peer. This feature is useful if the peer you want to trust has a certificate which was signed by a certificate authority who also signed many @@ -5611,6 +5613,10 @@ overall integrity of the PKI. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised. +The option is not mandatory \- if the relevant CRL is missing, OpenVPN will log +a warning in the logs \- e.g. "\fIVERIFY WARNING: depth=0, unable to get +certificate CRL\fR" \- but the connection will be allowed. + If the optional .B dir flag is specified, enable a different mode where -- cgit v1.2.3