diff options
| author | james <james@e7ae566f-a301-0410-adde-c780ea21d3b5> | 2005-10-15 05:07:29 +0000 |
|---|---|---|
| committer | james <james@e7ae566f-a301-0410-adde-c780ea21d3b5> | 2005-10-15 05:07:29 +0000 |
| commit | e83b8190d46352f8a625491b10af19c8b0ac2def (patch) | |
| tree | 16df725c18e5d8de8bf50155a47dc565661dc6a3 /ssl.c | |
| parent | added *.rej to .svnignore (diff) | |
| download | openvpn-e83b8190d46352f8a625491b10af19c8b0ac2def.tar.xz | |
Enable the use of --ca together with --pkcs12. If --ca is
used at the same time as --pkcs12, the CA certificate is loaded
from the file specified by --ca regardless if the pkcs12 file
contains a CA cert or not (Mathias Sundman).
Pre-2.1-beta3
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@612 e7ae566f-a301-0410-adde-c780ea21d3b5
Diffstat (limited to '')
| -rw-r--r-- | ssl.c | 21 |
1 files changed, 13 insertions, 8 deletions
@@ -833,14 +833,17 @@ init_ssl (const struct options *options) msg (M_SSLERR, "Private key does not match the certificate"); /* Set Certificate Verification chain */ - if (ca && sk_num(ca)) + if (!options->ca_file) { - for (i = 0; i < sk_X509_num(ca); i++) + if (ca && sk_num(ca)) { - if (!X509_STORE_add_cert(ctx->cert_store,sk_X509_value(ca, i))) - msg (M_SSLERR, "Cannot add certificate to certificate chain (X509_STORE_add_cert)"); - if (!SSL_CTX_add_client_CA(ctx, sk_X509_value(ca, i))) - msg (M_SSLERR, "Cannot add certificate to client CA list (SSL_CTX_add_client_CA)"); + for (i = 0; i < sk_X509_num(ca); i++) + { + if (!X509_STORE_add_cert(ctx->cert_store,sk_X509_value(ca, i))) + msg (M_SSLERR, "Cannot add certificate to certificate chain (X509_STORE_add_cert)"); + if (!SSL_CTX_add_client_CA(ctx, sk_X509_value(ca, i))) + msg (M_SSLERR, "Cannot add certificate to client CA list (SSL_CTX_add_client_CA)"); + } } } } @@ -906,7 +909,10 @@ init_ssl (const struct options *options) msg (M_SSLERR, "Private key does not match the certificate"); } } + } + if (options->ca_file) + { /* Load CA file for verifying peer supplied certificate */ ASSERT (options->ca_file); if (!SSL_CTX_load_verify_locations (ctx, options->ca_file, NULL)) @@ -920,9 +926,8 @@ init_ssl (const struct options *options) msg (M_SSLERR, "Cannot load CA certificate file %s (SSL_load_client_CA_file)", options->ca_file); SSL_CTX_set_client_CA_list (ctx, cert_names); } - } - + /* Enable the use of certificate chains */ if (using_cert_file) { |