Deprecate --ns-cert-type

The nsCertType x509 extension is very old, and barely used.  We already
have had an alternative for a long time: --remote-cert-tls uses the far
more common keyUsage and extendedKeyUsage extensions instead.

OpenSSL 1.1 longer exposes an API to (separately) check the nsCertType x509
extension.  Since we want be able to migrate to OpenSSL 1.1, we should
deprecate this option immediately.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1488653397-2309-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14222.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 2dc332266449d5378f1fe04f950cbebf128ec9c9)

1 files changed, 2 insertions, 2 deletions

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 6682bb7..a104bb0 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -636,8 +636,8 @@ static const char usage_message[] =
     "--verify-x509-name name: Accept connections only from a host with X509 subject\n"
     "                  DN name. The remote host must also pass all other tests\n"
     "                  of verification.\n"
-    "--ns-cert-type t: Require that peer certificate was signed with an explicit\n"
-    "                  nsCertType designation t = 'client' | 'server'.\n"
+    "--ns-cert-type t: (DEPRECATED) Require that peer certificate was signed with \n"
+    "                  an explicit nsCertType designation t = 'client' | 'server'.\n"
     "--x509-track x  : Save peer X509 attribute x in environment for use by\n"
     "                  plugins and management interface.\n"
 #if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000