Closed vlk-charles closed 3 months ago
The fingerprint examples in doc/man-sections/example-fingerprint.rst
suggest to use openssl x509 -fingerprint -sha256 -in server.crt -noout
, which in my tests produces an output with colons just fine.
Our parser tries to err on the side of "being too strict", in general, thus the colons are not optional.
On the formatting of the text message - indeed, this needs to be fixed.
I understand if it is safer to require colons. Ultimately it is the developers' decision. I just wanted to bring it to attention that it can be inconvenient for the user. I agree that most certificate-oriented tools do use colons.
But I also have another suggestion. The following warning is shown even when peer-fingerprint
is in use:
WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Isn't supplying the fingerprint a verification method in a way?
Describe the bug The
peer-fingerprint
option logs a badly formatted line and the supplied fingerprint requires colons.To Reproduce Fingerprint format error:
Use a random wrong fingerprint to see the bad string:
Expected behavior Colons to be optional as they add no meaning and the verification error string to contain an extra space and closing parenthesis (or none at all) like this:
Version information
Additional context For example neither
sha256sum
oropenssl dgst -sha256
use colons in their outputs.