Re: [Openvpn-devel] [RFC PATCH v1 05/15] OpenSSL: don't use direct access to the internal of X509

[Gert D. <ge...@gr...>]

Hi,

On Thu, Mar 02, 2017 at 09:36:32PM +0100, Steffan Karger wrote:
> So, what I propose instead is:
>  * remove all the nsCertType code (except the option in add_option())
>  * update the help strings and man page to indicate that --ns-cert-type
> is no longer supported and --remote-cert-tls should be used instead
>  * in add_option(), if the option is enabled in a config file, act as if
> --remote-cert-tls was specified correspondingly, and print a clear
> warning that --ns-cert-type is no longer supported and stricter checks
> are enabled instead.

Mmmmh.  Is there a way to get the old behaviour with OpenSSL 1.1?

We decided that we do want 1.1 compatibility in release/2.4, but what
you propose might break people's working config when upgrading from 2.4.1
to 2.4.2 - bad enough if we make mistakes, but if there is an alternative
to consciously changing cert validation behaviour in the middle of a
release train, we should look again...

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             ge...@gr...
fax: +49-89-35655025                        ge...@ne...