[network-manager-openvpn/th/tls-remote-workaround-bgo776045: 4/4] properties: discourage use of tls-remote in GUI
- From: Thomas Haller <thaller src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [network-manager-openvpn/th/tls-remote-workaround-bgo776045: 4/4] properties: discourage use of tls-remote in GUI
- Date: Wed, 15 Feb 2017 10:24:33 +0000 (UTC)
commit 1c2986b8881b3b28d493f66cc804da12712cc2a7
Author: Thomas Haller <thaller redhat com>
Date: Mon Feb 13 12:56:27 2017 +0100
properties: discourage use of tls-remote in GUI
Mark the entry as "error" when selecting the deprecated
tls-remote option.
This is to make it more apparent to the user that he
should avoid this setting.
properties/auth-helpers.c | 14 ++++++++++++--
properties/import-export.c | 2 +-
properties/nm-openvpn-dialog.ui | 2 ++
3 files changed, 15 insertions(+), 3 deletions(-)
---
diff --git a/properties/auth-helpers.c b/properties/auth-helpers.c
index d212874..daf366c 100644
--- a/properties/auth-helpers.c
+++ b/properties/auth-helpers.c
@@ -1245,7 +1245,7 @@ populate_tls_remote_mode_entry_combo (GtkEntry* entry, GtkComboBox *box,
gtk_list_store_append (store, &iter);
gtk_list_store_set (store, &iter,
- TLS_REMOTE_MODE_COL_NAME, _("Verify subject partially (legacy mode)"),
+ TLS_REMOTE_MODE_COL_NAME, _("Verify subject partially (legacy mode, strongly
discouraged)"),
TLS_REMOTE_MODE_COL_VALUE, TLS_REMOTE_MODE_LEGACY,
-1);
@@ -1284,6 +1284,7 @@ tls_remote_changed (GtkWidget *widget, gpointer user_data)
GtkWidget *entry, *combo, *ok_button;
GtkTreeIter iter;
gboolean entry_enabled = TRUE, entry_has_error = FALSE;
+ gboolean legacy_tls_remote = FALSE;
entry = GTK_WIDGET (gtk_builder_get_object (builder, "tls_remote_entry"));
combo = GTK_WIDGET (gtk_builder_get_object (builder, "tls_remote_mode_combo"));
@@ -1306,6 +1307,7 @@ tls_remote_changed (GtkWidget *widget, gpointer user_data)
entry_enabled = TRUE;
entry_has_error = !subject || !subject[0];
+ legacy_tls_remote = nm_streq (tls_remote_mode, TLS_REMOTE_MODE_LEGACY);
}
}
@@ -1314,9 +1316,17 @@ tls_remote_changed (GtkWidget *widget, gpointer user_data)
widget_set_error (entry);
gtk_widget_set_sensitive (ok_button, FALSE);
} else {
- widget_unset_error (entry);
+ if (legacy_tls_remote) {
+ /* selecting tls-remote is not an error, but strongly discouraged. I wish
+ * there would be a warning-class as well. Anyway, mark the widget as
+ * erroneous, although this doesn't make the connection invalid (which
+ * is an ugly inconsistency). */
+ widget_set_error (entry);
+ } else
+ widget_unset_error (entry);
gtk_widget_set_sensitive (ok_button, TRUE);
}
+
}
static void
diff --git a/properties/import-export.c b/properties/import-export.c
index 1993026..7b42e0b 100644
--- a/properties/import-export.c
+++ b/properties/import-export.c
@@ -1256,7 +1256,7 @@ do_import (const char *path, const char *contents, gsize contents_len, GError **
}
if (NM_IN_STRSET (params[0], NMV_OVPN_TAG_VERIFY_X509_NAME)) {
- const char *type = "subject";
+ const char *type = NM_OPENVPN_VERIFY_X509_NAME_TYPE_SUBJECT;
gs_free char *item = NULL;
if (!args_params_check_nargs_minmax (params, 1, 2, &line_error))
diff --git a/properties/nm-openvpn-dialog.ui b/properties/nm-openvpn-dialog.ui
index f0dd55c..a3cc25c 100644
--- a/properties/nm-openvpn-dialog.ui
+++ b/properties/nm-openvpn-dialog.ui
@@ -1950,6 +1950,8 @@ When enabled, connection will only succeed if the server certificate matches som
Matching can either apply to the whole certificate subject (all the fields),
or just the Common Name (CN field).
+The legacy option tls-remote is deprecated and removed from OpenVPN 2.4 and newer. Do not use it anymore.
+
config: verify-x509-name subject-or-name [mode]
config (legacy mode): tls-remote subject-or-name</property>
<property name="model">model9</property>
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
