diff options
| author | Arne Schwabe | 2021-03-21 15:33:53 +0100 |
|---|---|---|
| committer | Gert Doering | 2021-03-21 19:45:43 +0100 |
| commit | c3a7065d5bec0ca4ad479e27c124e74fbd7c2234 (patch) | |
| tree | 08f4093d2ad68b69f9c4ffd4cd4e43b6ea71b5c5 /Changes.rst | |
| parent | d1fe6d52ca066ec2d49712081d5056825c8973b2 (diff) | |
| download | openvpn-c3a7065d5bec0ca4ad479e27c124e74fbd7c2234.zip openvpn-c3a7065d5bec0ca4ad479e27c124e74fbd7c2234.tar.gz | |
Implement peer-fingerprint to check fingerprint of peer certificate
This option allows to pin one or more more peer certificates. It also
prepares for doing TLS authentication without a CA and just
self-signed certificates.
Patch V2: Allow peer-fingerprint to be specified multiple times
to allow multiple peers without needing to use inline
syntax. (e.g. on command line).
Patch V3: rebase on v3 of 1/4, reword message of verify-hash and
peer-fingerpring incompatibility
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210321143353.2677-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/search?l=mid&q=20210321143353.2677-1-arne@rfc2549.org
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'Changes.rst')
| -rw-r--r-- | Changes.rst | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/Changes.rst b/Changes.rst index d6be105..c0e0d5d 100644 --- a/Changes.rst +++ b/Changes.rst @@ -19,6 +19,12 @@ Compatibility with OpenSSL in FIPS mode and if less than 100MB RAM are available, use setrlimit() to upgrade the limit. See Trac #1390. Not available on OpenSolaris. +Certificate pinning/verify peer fingerprint + The ``--peer-fingerprint`` option has been introduced to give users an + easy to use alternative to the ``tls-verify`` for matching the + fingerprint of the peer. The option takes use a number of allowed + SHA256 certificate fingerprints. + Deprecated features ------------------- |