diff options
author | james <james@e7ae566f-a301-0410-adde-c780ea21d3b5> | 2005-10-15 05:07:29 +0000 |
---|---|---|
committer | james <james@e7ae566f-a301-0410-adde-c780ea21d3b5> | 2005-10-15 05:07:29 +0000 |
commit | e83b8190d46352f8a625491b10af19c8b0ac2def (patch) | |
tree | 16df725c18e5d8de8bf50155a47dc565661dc6a3 | |
parent | added *.rej to .svnignore (diff) | |
download | openvpn-e83b8190d46352f8a625491b10af19c8b0ac2def.tar.xz |
Enable the use of --ca together with --pkcs12. If --ca is
used at the same time as --pkcs12, the CA certificate is loaded
from the file specified by --ca regardless if the pkcs12 file
contains a CA cert or not (Mathias Sundman).
Pre-2.1-beta3
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@612 e7ae566f-a301-0410-adde-c780ea21d3b5
-rw-r--r-- | ChangeLog | 4 | ||||
-rw-r--r-- | options.c | 4 | ||||
-rw-r--r-- | ssl.c | 21 |
3 files changed, 18 insertions, 11 deletions
@@ -6,6 +6,10 @@ $Id$ 2005.10.xx -- Version 2.1-beta3 * Added PKCS#11 support (Alon Bar-Lev). +* Enable the use of --ca together with --pkcs12. If --ca is + used at the same time as --pkcs12, the CA certificate is loaded + from the file specified by --ca regardless if the pkcs12 file + contains a CA cert or not (Mathias Sundman). * NOTE TO PACKAGE MAINTAINERS: Moved "plugin" directory to "plugins". This is to work around a strange problem with the @@ -405,7 +405,7 @@ static const char usage_message[] = " by a Certificate Authority in --ca file.\n" "--key file : Local private key in .pem format.\n" "--pkcs12 file : PKCS#12 file containing local private key, local certificate\n" - " and root CA certificate.\n" + " and optionally the root CA certificate.\n" #ifdef ENABLE_PKCS11 "--pkcs11-providers provider ... : PKCS#11 provider to load.\n" "--pkcs11-sign-mode mode ... : PKCS#11 signature method.\n" @@ -1683,8 +1683,6 @@ options_postprocess (struct options *options, bool first_time) #endif if (options->pkcs12_file) { - if (options->ca_file) - msg(M_USAGE, "Parameter --ca cannot be used when --pkcs12 is also specified."); if (options->cert_file) msg(M_USAGE, "Parameter --cert cannot be used when --pkcs12 is also specified."); if (options->priv_key_file) @@ -833,14 +833,17 @@ init_ssl (const struct options *options) msg (M_SSLERR, "Private key does not match the certificate"); /* Set Certificate Verification chain */ - if (ca && sk_num(ca)) + if (!options->ca_file) { - for (i = 0; i < sk_X509_num(ca); i++) + if (ca && sk_num(ca)) { - if (!X509_STORE_add_cert(ctx->cert_store,sk_X509_value(ca, i))) - msg (M_SSLERR, "Cannot add certificate to certificate chain (X509_STORE_add_cert)"); - if (!SSL_CTX_add_client_CA(ctx, sk_X509_value(ca, i))) - msg (M_SSLERR, "Cannot add certificate to client CA list (SSL_CTX_add_client_CA)"); + for (i = 0; i < sk_X509_num(ca); i++) + { + if (!X509_STORE_add_cert(ctx->cert_store,sk_X509_value(ca, i))) + msg (M_SSLERR, "Cannot add certificate to certificate chain (X509_STORE_add_cert)"); + if (!SSL_CTX_add_client_CA(ctx, sk_X509_value(ca, i))) + msg (M_SSLERR, "Cannot add certificate to client CA list (SSL_CTX_add_client_CA)"); + } } } } @@ -906,7 +909,10 @@ init_ssl (const struct options *options) msg (M_SSLERR, "Private key does not match the certificate"); } } + } + if (options->ca_file) + { /* Load CA file for verifying peer supplied certificate */ ASSERT (options->ca_file); if (!SSL_CTX_load_verify_locations (ctx, options->ca_file, NULL)) @@ -920,9 +926,8 @@ init_ssl (const struct options *options) msg (M_SSLERR, "Cannot load CA certificate file %s (SSL_load_client_CA_file)", options->ca_file); SSL_CTX_set_client_CA_list (ctx, cert_names); } - } - + /* Enable the use of certificate chains */ if (using_cert_file) { |