diff options
author | David Sommerseth | 2017-06-28 21:15:38 +0200 |
---|---|---|
committer | Gert Doering | 2017-06-29 20:45:17 +0200 |
commit | f9ebfe1b5a011e55fb87a5026b1897c8ffb8f75e (patch) | |
tree | a97981dbd9cdbaddd253e7e17909e839bdcfe6b8 /Changes.rst | |
parent | 3be9a1c1cd75627c30dca05bed28c84ad4dc1d37 (diff) | |
download | openvpn-f9ebfe1b5a011e55fb87a5026b1897c8ffb8f75e.zip openvpn-f9ebfe1b5a011e55fb87a5026b1897c8ffb8f75e.tar.gz |
doc: The CRL processing is not a deprecated feature
The note related to the CRL processing was somehow put into
the deprecated section. This is quite confusing.
Since this is a fairly important change, and there have been
a noticable amount of supports questions related to OpenVPN
not starting due to CRL errors, I put this into the
"New features" section labelled as an improvement. Otherwise
I fear this would drown in the list of "User-visible Changes"
later on.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20170628191538.9135-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14985.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'Changes.rst')
-rw-r--r-- | Changes.rst | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/Changes.rst b/Changes.rst index 9db0a45..0b2b04d 100644 --- a/Changes.rst +++ b/Changes.rst @@ -44,6 +44,13 @@ ECDH key exchange The TLS control channel now supports for elliptic curve diffie-hellmann key exchange (ECDH). +Improved Certificate Revocation List (CRL) processing + CRLs are now handled by the crypto library (OpenSSL or mbed TLS), instead + of inside OpenVPN itself. The crypto library implementations are more + strict than the OpenVPN implementation was. This might reject peer + certificates that would previously be accepted. If this occurs, OpenVPN + will log the crypto library's error description. + Dualstack round-robin DNS client connect Instead of only using the first address of each ``--remote`` OpenVPN will now try all addresses (IPv6 and IPv4) of a ``--remote`` entry. @@ -160,12 +167,6 @@ Deprecated features will then use ``--key-method 2`` by default. Note that this requires changing the option in both the client and server side configs. -- CRLs are now handled by the crypto library (OpenSSL or mbed TLS), instead of - inside OpenVPN itself. The crypto library implementations are more strict - than the OpenVPN implementation was. This might reject peer certificates - that would previously be accepted. If this occurs, OpenVPN will log the - crypto library's error description. - - ``--tls-remote`` is removed in 2.4, as indicated in the 2.3 man-pages. Similar functionality is provided via ``--verify-x509-name``, which does the same job in a better way. |