Browse code
Small fixes: * Fixed variable declaration in crypto.c that is not at the head of a block. * Added library to Visual C makefile. * In server.conf config sample, add additional comment text on "dev tap" usage. * Added some short documentation on revoke-full script.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@877 e7ae566f-a301-0410-adde-c780ea21d3b5
james authored on 2006/01/07 12:21:49Showing 4 changed files
| ... | ... |
@@ -1012,6 +1012,7 @@ read_key_file (struct key2 *key2, const char *file, const unsigned int flags) |
| 1012 | 1012 |
const char *error_filename = file; |
| 1013 | 1013 |
|
| 1014 | 1014 |
/* parse info */ |
| 1015 |
+ const char *cp; |
|
| 1015 | 1016 |
int hb_index = 0; |
| 1016 | 1017 |
int line_num = 1; |
| 1017 | 1018 |
int line_index = 0; |
| ... | ... |
@@ -1062,7 +1063,7 @@ read_key_file (struct key2 *key2, const char *file, const unsigned int flags) |
| 1062 | 1062 |
close (fd); |
| 1063 | 1063 |
} |
| 1064 | 1064 |
|
| 1065 |
- const char *cp = (char *)in.data; |
|
| 1065 |
+ cp = (char *)in.data; |
|
| 1066 | 1066 |
while (size) |
| 1067 | 1067 |
{
|
| 1068 | 1068 |
const char c = *cp; |
| ... | ... |
@@ -47,6 +47,20 @@ Release Notes for easy-rsa-2.0 |
| 47 | 47 |
* This release only affects the Linux/Unix version of easy-rsa. |
| 48 | 48 |
The Windows version (written to use the Windows shell) is unchanged. |
| 49 | 49 |
|
| 50 |
+* Use the revoke-full script to revoke a certificate, and generate |
|
| 51 |
+ (or update) the crl.pem file in the keys directory (as set by the |
|
| 52 |
+ vars script). Then use "crl-verify crl.pem" in your OpenVPN server |
|
| 53 |
+ config file, so that OpenVPN can reject any connections coming from |
|
| 54 |
+ clients which present a revoked certificate. Usage for the script is: |
|
| 55 |
+ |
|
| 56 |
+ revoke-full <common-name> |
|
| 57 |
+ |
|
| 58 |
+ Note this this procedure is primarily designed to revoke client |
|
| 59 |
+ certificates. You could theoretically use this method to revoke |
|
| 60 |
+ server certificates as well, but then you would need to propagate |
|
| 61 |
+ the crl.pem file to all clients as well, and have them include |
|
| 62 |
+ "crl-verify crl.pem" in their configuration files. |
|
| 63 |
+ |
|
| 50 | 64 |
INSTALL easy-rsa |
| 51 | 65 |
|
| 52 | 66 |
1. Edit vars. |
| ... | ... |
@@ -24,7 +24,7 @@ LZO = \src\lzo-1.08.vc |
| 24 | 24 |
|
| 25 | 25 |
INCLUDE_DIRS = -I$(OPENSSL)/include -I$(LZO)/include |
| 26 | 26 |
|
| 27 |
-LIBS = lzo.lib ws2_32.lib crypt32.lib iphlpapi.lib winmm.lib gdi32.lib advapi32.lib |
|
| 27 |
+LIBS = lzo.lib ws2_32.lib crypt32.lib iphlpapi.lib winmm.lib gdi32.lib advapi32.lib wininet.lib |
|
| 28 | 28 |
|
| 29 | 29 |
LIB_DIRS = -LIBPATH:$(OPENSSL)\out -LIBPATH:$(LZO) |
| 30 | 30 |
|
| ... | ... |
@@ -37,7 +37,9 @@ proto udp |
| 37 | 37 |
|
| 38 | 38 |
# "dev tun" will create a routed IP tunnel, |
| 39 | 39 |
# "dev tap" will create an ethernet tunnel. |
| 40 |
-# Use "dev tap" if you are ethernet bridging. |
|
| 40 |
+# Use "dev tap0" if you are ethernet bridging |
|
| 41 |
+# and have precreated a tap0 virtual interface |
|
| 42 |
+# and bridged it with your ethernet interface. |
|
| 41 | 43 |
# If you want to control access policies |
| 42 | 44 |
# over the VPN, you must create firewall |
| 43 | 45 |
# rules for the the TUN/TAP interface. |