Changes between Version 15 and Version 16 of Openvpn24ManPage

Timestamp:

10/31/19 08:44:49 (4 years ago)

Author:

Samuli Seppänen

Comment:

--

Openvpn24ManPage

@@ -6 +6 @@
 {{{
 #!html
-<H1>openvpn</H1>
 Section: Maintenance Commands (8)<BR><A HREF="#index">Index</A>
 
@@ -5626 +5625 @@
 Not available with mbed TLS.
 <P>
-When using the
-<B>--capath</B>
-
-option, you are required to supply valid CRLs for the CAs too.  CAs in the
-capath directory are expected to be named &lt;hash&gt;.&lt;n&gt;.  CRLs are expected to
-be named &lt;hash&gt;.r&lt;n&gt;.  See the
+CAs in the capath directory are expected to be named &lt;hash&gt;.&lt;n&gt;. CRLs are
+expected to be named &lt;hash&gt;.r&lt;n&gt;. See the
 <B>-CApath</B>
 
@@ -5647 +5642 @@
 
 for more information.
+<P>
+Similarly to the
+<B>--crl-verify</B>
+
+option CRLs are not mandatory - OpenVPN will log the usual warning in the logs
+if the relevant CRL is missing, but the connection will be allowed.
 
 <DT><B>--dh file</B>
@@ -6537 +6538 @@
 <P>
 These arguments are, respectively, the current certificate depth and
-the X509 common name (cn) of the peer.
+the X509 subject distinguished name (dn) of the peer.
 <P>
 This feature is useful if the peer you want to trust has a certificate
@@ -6831 +6832 @@
 The only time when it would be necessary to rebuild the entire PKI from scratch would be
 if the root certificate key itself was compromised.
+<P>
+The option is not mandatory - if the relevant CRL is missing, OpenVPN will log
+a warning in the logs - e.g. &quot;<I>VERIFY WARNING: depth=0, unable to get
+certificate CRL</I>&quot; - but the connection will be allowed.
 <P>
 If the optional
@@ -9199 +9204 @@
 <A HREF="/man/man2html">man2html</A>,
 using the manual pages.<BR>
-Time: 12:29:12 GMT, February 20, 2019
+Time: 12:38:22 GMT, October 30, 2019
 }}}