aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog4
-rw-r--r--options.c4
-rw-r--r--ssl.c21
3 files changed, 18 insertions, 11 deletions
diff --git a/ChangeLog b/ChangeLog
index 0658da6..aa03feb 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -6,6 +6,10 @@ $Id$
2005.10.xx -- Version 2.1-beta3
* Added PKCS#11 support (Alon Bar-Lev).
+* Enable the use of --ca together with --pkcs12. If --ca is
+ used at the same time as --pkcs12, the CA certificate is loaded
+ from the file specified by --ca regardless if the pkcs12 file
+ contains a CA cert or not (Mathias Sundman).
* NOTE TO PACKAGE MAINTAINERS: Moved "plugin"
directory to "plugins". This is
to work around a strange problem with the
diff --git a/options.c b/options.c
index c7e788f..fa911b6 100644
--- a/options.c
+++ b/options.c
@@ -405,7 +405,7 @@ static const char usage_message[] =
" by a Certificate Authority in --ca file.\n"
"--key file : Local private key in .pem format.\n"
"--pkcs12 file : PKCS#12 file containing local private key, local certificate\n"
- " and root CA certificate.\n"
+ " and optionally the root CA certificate.\n"
#ifdef ENABLE_PKCS11
"--pkcs11-providers provider ... : PKCS#11 provider to load.\n"
"--pkcs11-sign-mode mode ... : PKCS#11 signature method.\n"
@@ -1683,8 +1683,6 @@ options_postprocess (struct options *options, bool first_time)
#endif
if (options->pkcs12_file)
{
- if (options->ca_file)
- msg(M_USAGE, "Parameter --ca cannot be used when --pkcs12 is also specified.");
if (options->cert_file)
msg(M_USAGE, "Parameter --cert cannot be used when --pkcs12 is also specified.");
if (options->priv_key_file)
diff --git a/ssl.c b/ssl.c
index 304e6ed..17b418b 100644
--- a/ssl.c
+++ b/ssl.c
@@ -833,14 +833,17 @@ init_ssl (const struct options *options)
msg (M_SSLERR, "Private key does not match the certificate");
/* Set Certificate Verification chain */
- if (ca && sk_num(ca))
+ if (!options->ca_file)
{
- for (i = 0; i < sk_X509_num(ca); i++)
+ if (ca && sk_num(ca))
{
- if (!X509_STORE_add_cert(ctx->cert_store,sk_X509_value(ca, i)))
- msg (M_SSLERR, "Cannot add certificate to certificate chain (X509_STORE_add_cert)");
- if (!SSL_CTX_add_client_CA(ctx, sk_X509_value(ca, i)))
- msg (M_SSLERR, "Cannot add certificate to client CA list (SSL_CTX_add_client_CA)");
+ for (i = 0; i < sk_X509_num(ca); i++)
+ {
+ if (!X509_STORE_add_cert(ctx->cert_store,sk_X509_value(ca, i)))
+ msg (M_SSLERR, "Cannot add certificate to certificate chain (X509_STORE_add_cert)");
+ if (!SSL_CTX_add_client_CA(ctx, sk_X509_value(ca, i)))
+ msg (M_SSLERR, "Cannot add certificate to client CA list (SSL_CTX_add_client_CA)");
+ }
}
}
}
@@ -906,7 +909,10 @@ init_ssl (const struct options *options)
msg (M_SSLERR, "Private key does not match the certificate");
}
}
+ }
+ if (options->ca_file)
+ {
/* Load CA file for verifying peer supplied certificate */
ASSERT (options->ca_file);
if (!SSL_CTX_load_verify_locations (ctx, options->ca_file, NULL))
@@ -920,9 +926,8 @@ init_ssl (const struct options *options)
msg (M_SSLERR, "Cannot load CA certificate file %s (SSL_load_client_CA_file)", options->ca_file);
SSL_CTX_set_client_CA_list (ctx, cert_names);
}
-
}
-
+
/* Enable the use of certificate chains */
if (using_cert_file)
{