Add bracket in fingerprint message and do not warn about missing verification

Github: fixes OpenVPN/openvpn#516 Change-Id: Ia73d53002f4ba2658af18c17cce1b68f79de5781 Signed-off-by: Arne Schwabe <arne-openvpn@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Message-Id: <20240326103853.494572-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28474.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit 4b95656536be1f402a55ef5dffe140fa78e7eb51)
2025-05-09 05:31:05 +08:00 · 2024-03-26 11:38:53 +01:00 · 2024-03-26 11:38:53 +01:00 · e36359aa7e
commit e36359aa7e
parent 5591af1769
2 changed files with 4 additions and 3 deletions
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@ -3632,7 +3632,8 @@ do_option_warnings(struct context *c)
        && !o->tls_verify
        && o->verify_x509_type == VERIFY_X509_NONE
        && !(o->ns_cert_type & NS_CERT_CHECK_SERVER)
-        && !o->remote_cert_eku)
+        && !o->remote_cert_eku
+        && !(o->verify_hash_depth == 0 && o->verify_hash))
    {
        msg(M_WARN, "WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.");
    }
--- a/src/openvpn/ssl_verify.c
+++ b/src/openvpn/ssl_verify.c
@ -718,8 +718,8 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep
            const char *hex_fp = format_hex_ex(BPTR(&cert_fp), BLEN(&cert_fp),
                                               0, 1, ":", &gc);
            msg(D_TLS_ERRORS, "TLS Error: --tls-verify/--peer-fingerprint"
-                "certificate hash verification failed. (got "
-                "fingerprint: %s", hex_fp);
+                "certificate hash verification failed. (got certificate "
+                "fingerprint: %s)", hex_fp);
            goto cleanup;
        }
    }