aboutsummaryrefslogtreecommitdiff
path: root/ssl.c
diff options
context:
space:
mode:
authorjames <james@e7ae566f-a301-0410-adde-c780ea21d3b5>2005-10-15 05:07:29 +0000
committerjames <james@e7ae566f-a301-0410-adde-c780ea21d3b5>2005-10-15 05:07:29 +0000
commite83b8190d46352f8a625491b10af19c8b0ac2def (patch)
tree16df725c18e5d8de8bf50155a47dc565661dc6a3 /ssl.c
parentadded *.rej to .svnignore (diff)
downloadopenvpn-e83b8190d46352f8a625491b10af19c8b0ac2def.tar.xz
Enable the use of --ca together with --pkcs12. If --ca is
used at the same time as --pkcs12, the CA certificate is loaded from the file specified by --ca regardless if the pkcs12 file contains a CA cert or not (Mathias Sundman). Pre-2.1-beta3 git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@612 e7ae566f-a301-0410-adde-c780ea21d3b5
Diffstat (limited to '')
-rw-r--r--ssl.c21
1 files changed, 13 insertions, 8 deletions
diff --git a/ssl.c b/ssl.c
index 304e6ed..17b418b 100644
--- a/ssl.c
+++ b/ssl.c
@@ -833,14 +833,17 @@ init_ssl (const struct options *options)
msg (M_SSLERR, "Private key does not match the certificate");
/* Set Certificate Verification chain */
- if (ca && sk_num(ca))
+ if (!options->ca_file)
{
- for (i = 0; i < sk_X509_num(ca); i++)
+ if (ca && sk_num(ca))
{
- if (!X509_STORE_add_cert(ctx->cert_store,sk_X509_value(ca, i)))
- msg (M_SSLERR, "Cannot add certificate to certificate chain (X509_STORE_add_cert)");
- if (!SSL_CTX_add_client_CA(ctx, sk_X509_value(ca, i)))
- msg (M_SSLERR, "Cannot add certificate to client CA list (SSL_CTX_add_client_CA)");
+ for (i = 0; i < sk_X509_num(ca); i++)
+ {
+ if (!X509_STORE_add_cert(ctx->cert_store,sk_X509_value(ca, i)))
+ msg (M_SSLERR, "Cannot add certificate to certificate chain (X509_STORE_add_cert)");
+ if (!SSL_CTX_add_client_CA(ctx, sk_X509_value(ca, i)))
+ msg (M_SSLERR, "Cannot add certificate to client CA list (SSL_CTX_add_client_CA)");
+ }
}
}
}
@@ -906,7 +909,10 @@ init_ssl (const struct options *options)
msg (M_SSLERR, "Private key does not match the certificate");
}
}
+ }
+ if (options->ca_file)
+ {
/* Load CA file for verifying peer supplied certificate */
ASSERT (options->ca_file);
if (!SSL_CTX_load_verify_locations (ctx, options->ca_file, NULL))
@@ -920,9 +926,8 @@ init_ssl (const struct options *options)
msg (M_SSLERR, "Cannot load CA certificate file %s (SSL_load_client_CA_file)", options->ca_file);
SSL_CTX_set_client_CA_list (ctx, cert_names);
}
-
}
-
+
/* Enable the use of certificate chains */
if (using_cert_file)
{