[Openvpn-devel] [PATCH applied] Re: script-options.rst: Update ifconfig_* variables
Acked-by: Gert Doering We're so bad at times at updating documentation... verified that the newly documented options exist and do what it says. Confusing code... Your patch has been applied to the master and release/2.6 branch (doc). commit a94226cdc8ed037a6763675aa47e6c821983f174 (master) commit ea0d9c70a44e3d871136f68bddb0befc299dd692 (release/2.6) Author: Frank Lichtenheld Date: Thu Mar 21 17:16:23 2024 +0100 script-options.rst: Update ifconfig_* variables Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Message-Id: <20240321161623.2794161-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28438.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[master]: Add bracket in fingerprint message and do not warn about missing veri...
cron2 has submitted this change. (
http://gerrit.openvpn.net/c/openvpn/+/546?usp=email )
Change subject: Add bracket in fingerprint message and do not warn about
missing verification
..
Add bracket in fingerprint message and do not warn about missing verification
Github: fixes OpenVPN/openvpn#516
Change-Id: Ia73d53002f4ba2658af18c17cce1b68f79de5781
Signed-off-by: Arne Schwabe
Acked-by: Frank Lichtenheld
Message-Id: <20240326103853.494572-1-fr...@lichtenheld.com>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28474.html
Signed-off-by: Gert Doering
---
M src/openvpn/init.c
M src/openvpn/ssl_verify.c
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index f2ce926..02205e7 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -3594,7 +3594,8 @@
&& !o->tls_verify
&& o->verify_x509_type == VERIFY_X509_NONE
&& !(o->ns_cert_type & NS_CERT_CHECK_SERVER)
-&& !o->remote_cert_eku)
+&& !o->remote_cert_eku
+&& !(o->verify_hash_depth == 0 && o->verify_hash))
{
msg(M_WARN, "WARNING: No server certificate verification method has
been enabled. See http://openvpn.net/howto.html#mitm for more info.");
}
diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
index c7d7799..930769b 100644
--- a/src/openvpn/ssl_verify.c
+++ b/src/openvpn/ssl_verify.c
@@ -718,8 +718,8 @@
const char *hex_fp = format_hex_ex(BPTR(_fp), BLEN(_fp),
0, 1, ":", );
msg(D_TLS_ERRORS, "TLS Error: --tls-verify/--peer-fingerprint"
-"certificate hash verification failed. (got "
-"fingerprint: %s", hex_fp);
+"certificate hash verification failed. (got certificate "
+"fingerprint: %s)", hex_fp);
goto cleanup;
}
}
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/546?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ia73d53002f4ba2658af18c17cce1b68f79de5781
Gerrit-Change-Number: 546
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos
Gerrit-Reviewer: flichtenheld
Gerrit-CC: openvpn-devel
Gerrit-CC: ordex
Gerrit-MessageType: merged
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[master]: Add bracket in fingerprint message and do not warn about missing veri...
cron2 has uploaded a new patch set (#2) to the change originally created by
plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/546?usp=email )
The following approvals got outdated and were removed:
Code-Review+2 by flichtenheld
Change subject: Add bracket in fingerprint message and do not warn about
missing verification
..
Add bracket in fingerprint message and do not warn about missing verification
Github: fixes OpenVPN/openvpn#516
Change-Id: Ia73d53002f4ba2658af18c17cce1b68f79de5781
Signed-off-by: Arne Schwabe
Acked-by: Frank Lichtenheld
Message-Id: <20240326103853.494572-1-fr...@lichtenheld.com>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28474.html
Signed-off-by: Gert Doering
---
M src/openvpn/init.c
M src/openvpn/ssl_verify.c
2 files changed, 4 insertions(+), 3 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/46/546/2
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index f2ce926..02205e7 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -3594,7 +3594,8 @@
&& !o->tls_verify
&& o->verify_x509_type == VERIFY_X509_NONE
&& !(o->ns_cert_type & NS_CERT_CHECK_SERVER)
-&& !o->remote_cert_eku)
+&& !o->remote_cert_eku
+&& !(o->verify_hash_depth == 0 && o->verify_hash))
{
msg(M_WARN, "WARNING: No server certificate verification method has
been enabled. See http://openvpn.net/howto.html#mitm for more info.");
}
diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
index c7d7799..930769b 100644
--- a/src/openvpn/ssl_verify.c
+++ b/src/openvpn/ssl_verify.c
@@ -718,8 +718,8 @@
const char *hex_fp = format_hex_ex(BPTR(_fp), BLEN(_fp),
0, 1, ":", );
msg(D_TLS_ERRORS, "TLS Error: --tls-verify/--peer-fingerprint"
-"certificate hash verification failed. (got "
-"fingerprint: %s", hex_fp);
+"certificate hash verification failed. (got certificate "
+"fingerprint: %s)", hex_fp);
goto cleanup;
}
}
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/546?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ia73d53002f4ba2658af18c17cce1b68f79de5781
Gerrit-Change-Number: 546
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos
Gerrit-Reviewer: flichtenheld
Gerrit-CC: openvpn-devel
Gerrit-CC: ordex
Gerrit-MessageType: newpatchset
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Add bracket in fingerprint message and do not warn about missing verification
Added the Github reference to #516 Your patch has been applied to the master and release/2.6 branch (bugfix). commit 4b95656536be1f402a55ef5dffe140fa78e7eb51 (master) commit e36359aa7e5193ad002768e90ae660896a5a0fa6 (release/2.6) Author: Arne Schwabe Date: Tue Mar 26 11:38:53 2024 +0100 Add bracket in fingerprint message and do not warn about missing verification Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20240326103853.494572-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28474.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Fix snprintf/swnprintf related compiler warnings
Lightly stared at code and ran client side tests (that excercise proxy). Your patch has been applied to the master branch. commit 6889d9e2f1458272ded4c035df40378ace3d7395 (master) Author: Arne Schwabe Date: Tue Mar 26 11:41:01 2024 +0100 Fix snprintf/swnprintf related compiler warnings Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20240326104101.531291-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28475.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: Fix snprintf/swnprintf related compiler warnings
cron2 has submitted this change. (
http://gerrit.openvpn.net/c/openvpn/+/549?usp=email )
Change subject: Fix snprintf/swnprintf related compiler warnings
..
Fix snprintf/swnprintf related compiler warnings
When openvpn_snprintf is replaced by snprintf the GCC/MSVC compiler
will perform additional checks that the result is not truncated.
This warning can be avoid by either explicitly checking the return value
of snprintf (proxy) or ensuring that it is never truncated(tls crypt)
Change-Id: If23988a05dd53a519c5e57f2aa3b2d10bd29df1d
Signed-off-by: Arne Schwabe
Acked-by: Frank Lichtenheld
Message-Id: <20240326104101.531291-1-fr...@lichtenheld.com>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28475.html
Signed-off-by: Gert Doering
---
M src/openvpn/proxy.c
M src/openvpn/socks.c
M src/openvpn/ssl_openssl.c
M src/openvpn/tls_crypt.c
M src/openvpnserv/interactive.c
5 files changed, 25 insertions(+), 17 deletions(-)
diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c
index c904301..5c1cdcb 100644
--- a/src/openvpn/proxy.c
+++ b/src/openvpn/proxy.c
@@ -948,17 +948,21 @@
}
/* send digest response */
-openvpn_snprintf(buf, sizeof(buf), "Proxy-Authorization:
Digest username=\"%s\", realm=\"%s\", nonce=\"%s\", uri=\"%s\", qop=%s, nc=%s,
cnonce=\"%s\", response=\"%s\"%s",
- username,
- realm,
- nonce,
- uri,
- qop,
- nonce_count,
- cnonce,
- response,
- opaque_kv
- );
+int sret = openvpn_snprintf(buf, sizeof(buf),
"Proxy-Authorization: Digest username=\"%s\", realm=\"%s\", nonce=\"%s\",
uri=\"%s\", qop=%s, nc=%s, cnonce=\"%s\", response=\"%s\"%s",
+username,
+realm,
+nonce,
+uri,
+qop,
+nonce_count,
+cnonce,
+response,
+opaque_kv
+);
+if (sret >= sizeof(buf))
+{
+goto error;
+}
msg(D_PROXY, "Send to HTTP proxy: '%s'", buf);
if (!send_line_crlf(sd, buf))
{
diff --git a/src/openvpn/socks.c b/src/openvpn/socks.c
index d842666..b046910 100644
--- a/src/openvpn/socks.c
+++ b/src/openvpn/socks.c
@@ -109,8 +109,11 @@
"Authentication not possible.");
goto cleanup;
}
-openvpn_snprintf(to_send, sizeof(to_send), "\x01%c%s%c%s", (int)
strlen(creds.username),
- creds.username, (int) strlen(creds.password),
creds.password);
+int sret = openvpn_snprintf(to_send, sizeof(to_send), "\x01%c%s%c%s",
+(int) strlen(creds.username), creds.username,
+(int) strlen(creds.password), creds.password);
+ASSERT(sret <= sizeof(to_send));
+
size = send(sd, to_send, strlen(to_send), MSG_NOSIGNAL);
if (size != strlen(to_send))
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 4383e98..6f29c3d 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -2069,7 +2069,7 @@
#endif
#ifndef OPENSSL_NO_EC
-char groupname[256];
+char groupname[64];
if (is_ec)
{
size_t len;
@@ -2130,7 +2130,7 @@
print_cert_details(X509 *cert, char *buf, size_t buflen)
{
EVP_PKEY *pkey = X509_get_pubkey(cert);
-char pkeybuf[128] = { 0 };
+char pkeybuf[64] = { 0 };
print_pkey_details(pkey, pkeybuf, sizeof(pkeybuf));
char sig[128] = { 0 };
diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c
index 975d31f..6ef1c7d 100644
--- a/src/openvpn/tls_crypt.c
+++ b/src/openvpn/tls_crypt.c
@@ -575,7 +575,7 @@
char metadata_type_str[4] = { 0 }; /* Max value: 255 */
openvpn_snprintf(metadata_type_str, sizeof(metadata_type_str),
- "%i", metadata_type);
+ "%i", (uint8_t) metadata_type);
struct env_set *es = env_set_create(NULL);
setenv_str(es, "script_type", "tls-crypt-v2-verify");
setenv_str(es, "metadata_type", metadata_type_str);
diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c
index 452633c..d32223c 100644
--- a/src/openvpnserv/interactive.c
+++ b/src/openvpnserv/interactive.c
@@ -33,6 +33,7 @@
#include
#include
#include
[Openvpn-devel] [S] Change in openvpn[master]: Fix snprintf/swnprintf related compiler warnings
cron2 has uploaded a new patch set (#2) to the change originally created by
plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/549?usp=email )
The following approvals got outdated and were removed:
Code-Review+2 by flichtenheld
Change subject: Fix snprintf/swnprintf related compiler warnings
..
Fix snprintf/swnprintf related compiler warnings
When openvpn_snprintf is replaced by snprintf the GCC/MSVC compiler
will perform additional checks that the result is not truncated.
This warning can be avoid by either explicitly checking the return value
of snprintf (proxy) or ensuring that it is never truncated(tls crypt)
Change-Id: If23988a05dd53a519c5e57f2aa3b2d10bd29df1d
Signed-off-by: Arne Schwabe
Acked-by: Frank Lichtenheld
Message-Id: <20240326104101.531291-1-fr...@lichtenheld.com>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28475.html
Signed-off-by: Gert Doering
---
M src/openvpn/proxy.c
M src/openvpn/socks.c
M src/openvpn/ssl_openssl.c
M src/openvpn/tls_crypt.c
M src/openvpnserv/interactive.c
5 files changed, 25 insertions(+), 17 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/49/549/2
diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c
index c904301..5c1cdcb 100644
--- a/src/openvpn/proxy.c
+++ b/src/openvpn/proxy.c
@@ -948,17 +948,21 @@
}
/* send digest response */
-openvpn_snprintf(buf, sizeof(buf), "Proxy-Authorization:
Digest username=\"%s\", realm=\"%s\", nonce=\"%s\", uri=\"%s\", qop=%s, nc=%s,
cnonce=\"%s\", response=\"%s\"%s",
- username,
- realm,
- nonce,
- uri,
- qop,
- nonce_count,
- cnonce,
- response,
- opaque_kv
- );
+int sret = openvpn_snprintf(buf, sizeof(buf),
"Proxy-Authorization: Digest username=\"%s\", realm=\"%s\", nonce=\"%s\",
uri=\"%s\", qop=%s, nc=%s, cnonce=\"%s\", response=\"%s\"%s",
+username,
+realm,
+nonce,
+uri,
+qop,
+nonce_count,
+cnonce,
+response,
+opaque_kv
+);
+if (sret >= sizeof(buf))
+{
+goto error;
+}
msg(D_PROXY, "Send to HTTP proxy: '%s'", buf);
if (!send_line_crlf(sd, buf))
{
diff --git a/src/openvpn/socks.c b/src/openvpn/socks.c
index d842666..b046910 100644
--- a/src/openvpn/socks.c
+++ b/src/openvpn/socks.c
@@ -109,8 +109,11 @@
"Authentication not possible.");
goto cleanup;
}
-openvpn_snprintf(to_send, sizeof(to_send), "\x01%c%s%c%s", (int)
strlen(creds.username),
- creds.username, (int) strlen(creds.password),
creds.password);
+int sret = openvpn_snprintf(to_send, sizeof(to_send), "\x01%c%s%c%s",
+(int) strlen(creds.username), creds.username,
+(int) strlen(creds.password), creds.password);
+ASSERT(sret <= sizeof(to_send));
+
size = send(sd, to_send, strlen(to_send), MSG_NOSIGNAL);
if (size != strlen(to_send))
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 4383e98..6f29c3d 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -2069,7 +2069,7 @@
#endif
#ifndef OPENSSL_NO_EC
-char groupname[256];
+char groupname[64];
if (is_ec)
{
size_t len;
@@ -2130,7 +2130,7 @@
print_cert_details(X509 *cert, char *buf, size_t buflen)
{
EVP_PKEY *pkey = X509_get_pubkey(cert);
-char pkeybuf[128] = { 0 };
+char pkeybuf[64] = { 0 };
print_pkey_details(pkey, pkeybuf, sizeof(pkeybuf));
char sig[128] = { 0 };
diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c
index 975d31f..6ef1c7d 100644
--- a/src/openvpn/tls_crypt.c
+++ b/src/openvpn/tls_crypt.c
@@ -575,7 +575,7 @@
char metadata_type_str[4] = { 0 }; /* Max value: 255 */
openvpn_snprintf(metadata_type_str, sizeof(metadata_type_str),
- "%i", metadata_type);
+ "%i", (uint8_t) metadata_type);
struct env_set *es = env_set_create(NULL);
setenv_str(es, "script_type", "tls-crypt-v2-verify");
setenv_str(es, "metadata_type", metadata_type_str);
diff --git
[Openvpn-devel] [PATCH v1] Fix snprintf/swnprintf related compiler warnings
From: Arne Schwabe
When openvpn_snprintf is replaced by snprintf the GCC/MSVC compiler
will perform additional checks that the result is not truncated.
This warning can be avoid by either explicitly checking the return value
of snprintf (proxy) or ensuring that it is never truncated(tls crypt)
Change-Id: If23988a05dd53a519c5e57f2aa3b2d10bd29df1d
Signed-off-by: Arne Schwabe
Acked-by: Frank Lichtenheld
---
This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/549
This mail reflects revision 1 of this Change.
Acked-by according to Gerrit (reflected above):
Frank Lichtenheld
Note: Missing word in commit message added for submission.
diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c
index c904301..5c1cdcb 100644
--- a/src/openvpn/proxy.c
+++ b/src/openvpn/proxy.c
@@ -948,17 +948,21 @@
}
/* send digest response */
-openvpn_snprintf(buf, sizeof(buf), "Proxy-Authorization:
Digest username=\"%s\", realm=\"%s\", nonce=\"%s\", uri=\"%s\", qop=%s, nc=%s,
cnonce=\"%s\", response=\"%s\"%s",
- username,
- realm,
- nonce,
- uri,
- qop,
- nonce_count,
- cnonce,
- response,
- opaque_kv
- );
+int sret = openvpn_snprintf(buf, sizeof(buf),
"Proxy-Authorization: Digest username=\"%s\", realm=\"%s\", nonce=\"%s\",
uri=\"%s\", qop=%s, nc=%s, cnonce=\"%s\", response=\"%s\"%s",
+username,
+realm,
+nonce,
+uri,
+qop,
+nonce_count,
+cnonce,
+response,
+opaque_kv
+);
+if (sret >= sizeof(buf))
+{
+goto error;
+}
msg(D_PROXY, "Send to HTTP proxy: '%s'", buf);
if (!send_line_crlf(sd, buf))
{
diff --git a/src/openvpn/socks.c b/src/openvpn/socks.c
index d842666..b046910 100644
--- a/src/openvpn/socks.c
+++ b/src/openvpn/socks.c
@@ -109,8 +109,11 @@
"Authentication not possible.");
goto cleanup;
}
-openvpn_snprintf(to_send, sizeof(to_send), "\x01%c%s%c%s", (int)
strlen(creds.username),
- creds.username, (int) strlen(creds.password),
creds.password);
+int sret = openvpn_snprintf(to_send, sizeof(to_send), "\x01%c%s%c%s",
+(int) strlen(creds.username), creds.username,
+(int) strlen(creds.password), creds.password);
+ASSERT(sret <= sizeof(to_send));
+
size = send(sd, to_send, strlen(to_send), MSG_NOSIGNAL);
if (size != strlen(to_send))
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 4383e98..6f29c3d 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -2069,7 +2069,7 @@
#endif
#ifndef OPENSSL_NO_EC
-char groupname[256];
+char groupname[64];
if (is_ec)
{
size_t len;
@@ -2130,7 +2130,7 @@
print_cert_details(X509 *cert, char *buf, size_t buflen)
{
EVP_PKEY *pkey = X509_get_pubkey(cert);
-char pkeybuf[128] = { 0 };
+char pkeybuf[64] = { 0 };
print_pkey_details(pkey, pkeybuf, sizeof(pkeybuf));
char sig[128] = { 0 };
diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c
index 975d31f..6ef1c7d 100644
--- a/src/openvpn/tls_crypt.c
+++ b/src/openvpn/tls_crypt.c
@@ -575,7 +575,7 @@
char metadata_type_str[4] = { 0 }; /* Max value: 255 */
openvpn_snprintf(metadata_type_str, sizeof(metadata_type_str),
- "%i", metadata_type);
+ "%i", (uint8_t) metadata_type);
struct env_set *es = env_set_create(NULL);
setenv_str(es, "script_type", "tls-crypt-v2-verify");
setenv_str(es, "metadata_type", metadata_type_str);
diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c
index 452633c..d32223c 100644
--- a/src/openvpnserv/interactive.c
+++ b/src/openvpnserv/interactive.c
@@ -33,6 +33,7 @@
#include
#include
#include
+#include
#include
@@ -2002,7 +2003,7 @@
ReturnLastError(pipe, L"malloc");
goto out;
}
-openvpn_swprintf(cmdline, cmdline_size, L"openvpn %ls --msg-channel %lu",
+openvpn_swprintf(cmdline, cmdline_size, L"openvpn %ls
[Openvpn-devel] [PATCH v1] Add bracket in fingerprint message and do not warn about missing verification
From: Arne Schwabe
Change-Id: Ia73d53002f4ba2658af18c17cce1b68f79de5781
Signed-off-by: Arne Schwabe
Acked-by: Frank Lichtenheld
---
This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/546
This mail reflects revision 1 of this Change.
Signed-off-by line for the author was added as per our policy.
Acked-by according to Gerrit (reflected above):
Frank Lichtenheld
Note: Missing whitespace added for submission.
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index f2ce926..a398920 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -3594,7 +3594,8 @@
&& !o->tls_verify
&& o->verify_x509_type == VERIFY_X509_NONE
&& !(o->ns_cert_type & NS_CERT_CHECK_SERVER)
-&& !o->remote_cert_eku)
+&& !o->remote_cert_eku
+&& !(o->verify_hash_depth == 0 && o->verify_hash))
{
msg(M_WARN, "WARNING: No server certificate verification method has
been enabled. See http://openvpn.net/howto.html#mitm for more info.");
}
diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
index c7d7799..930769b 100644
--- a/src/openvpn/ssl_verify.c
+++ b/src/openvpn/ssl_verify.c
@@ -718,8 +718,8 @@
const char *hex_fp = format_hex_ex(BPTR(_fp), BLEN(_fp),
0, 1, ":", );
msg(D_TLS_ERRORS, "TLS Error: --tls-verify/--peer-fingerprint"
-"certificate hash verification failed. (got "
-"fingerprint: %s", hex_fp);
+"certificate hash verification failed. (got certificate "
+"fingerprint: %s)", hex_fp);
goto cleanup;
}
}
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: Fix snprintf/swnprintf related compiler warnings
Attention is currently required from: plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/549?usp=email ) Change subject: Fix snprintf/swnprintf related compiler warnings .. Patch Set 1: Code-Review+2 (2 comments) Commit Message: http://gerrit.openvpn.net/c/openvpn/+/549/comment/2124d3d9_d4975207 : PS1, Line 12: This warning can be avoid by either explicitly the return value missing "checking" Patchset: PS1: Except the error in commit message looks good -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/549?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: If23988a05dd53a519c5e57f2aa3b2d10bd29df1d Gerrit-Change-Number: 549 Gerrit-PatchSet: 1 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Comment-Date: Tue, 26 Mar 2024 10:28:44 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
