diff --git a/src/openvpn/init.c b/src/openvpn/init.c index f2ce9264cd9..02205e7eaf5 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3594,7 +3594,8 @@ do_option_warnings(struct context *c) && !o->tls_verify && o->verify_x509_type == VERIFY_X509_NONE && !(o->ns_cert_type & NS_CERT_CHECK_SERVER) - && !o->remote_cert_eku) + && !o->remote_cert_eku + && !(o->verify_hash_depth == 0 && o->verify_hash)) { msg(M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info."); } diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index c7d7799345c..930769b7796 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -718,8 +718,8 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep const char *hex_fp = format_hex_ex(BPTR(&cert_fp), BLEN(&cert_fp), 0, 1, ":", &gc); msg(D_TLS_ERRORS, "TLS Error: --tls-verify/--peer-fingerprint" - "certificate hash verification failed. (got " - "fingerprint: %s", hex_fp); + "certificate hash verification failed. (got certificate " + "fingerprint: %s)", hex_fp); goto cleanup; } }