Browse code
Disabled X.509 track and username selection for PolarSSL
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>
Adriaan de Jong authored on 2011/07/05 20:09:13Showing 5 changed files
| ... | ... |
@@ -7,17 +7,22 @@ To Build and Install, |
| 7 | 7 |
make |
| 8 | 8 |
make install |
| 9 | 9 |
|
| 10 |
+This version depends on at least PolarSSL v0.99. |
|
| 11 |
+ |
|
| 10 | 12 |
************************************************************************* |
| 11 | 13 |
|
| 12 |
-The following features are missing in the PolarSSL version of OpenVPN: |
|
| 14 |
+Due to limitations in the PolarSSL library, the following features are missing |
|
| 15 |
+in the PolarSSL version of OpenVPN: |
|
| 13 | 16 |
|
| 14 |
- * ca_path support - Loading certificate authorities from a directory |
|
| 15 | 17 |
* PKCS#12 file support |
| 18 |
+ * --capath support - Loading certificate authorities from a directory |
|
| 16 | 19 |
* Windows CryptoAPI support |
| 17 | 20 |
* Management external key support |
| 18 |
- * X509 alternative username fields (must be "CN") |
|
| 21 |
+ * X.509 alternative username fields (must be "CN") |
|
| 22 |
+ |
|
| 23 |
+Plugin/Script features: |
|
| 19 | 24 |
|
| 20 |
- TODO: |
|
| 21 |
- * serial is in Hex |
|
| 22 |
- * X509 certificate export |
|
| 23 |
- * X.509 tracking |
|
| 25 |
+ * X.509 Serial number is in hex, not decimal as with OpenSSL |
|
| 26 |
+ * X.509 subject line has a different format than the OpenSSL subject line |
|
| 27 |
+ * X.509 certificate export does not work |
|
| 28 |
+ * X.509 certificate tracking |
| ... | ... |
@@ -840,6 +840,10 @@ fi |
| 840 | 840 |
|
| 841 | 841 |
dnl enable --x509-username-field feature if requested |
| 842 | 842 |
if test "$X509ALTUSERNAME" = "yes"; then |
| 843 |
+ if test "$SSL_LIB" = "polarssl" ; then |
|
| 844 |
+ AC_MSG_ERROR([PolarSSL does not support the --x509-username-field feature]) |
|
| 845 |
+ fi |
|
| 846 |
+ |
|
| 843 | 847 |
AC_DEFINE(ENABLE_X509ALTUSERNAME, 1, [Enable --x509-username-field feature]) |
| 844 | 848 |
fi |
| 845 | 849 |
|
| ... | ... |
@@ -4543,6 +4543,7 @@ to save values from full cert chain. Values will be encoded |
| 4543 | 4543 |
as X509_<depth>_<attribute>=<value>. Multiple |
| 4544 | 4544 |
.B \-\-x509-track |
| 4545 | 4545 |
options can be defined to track multiple attributes. |
| 4546 |
+Not available with PolarSSL. |
|
| 4546 | 4547 |
.\"********************************************************* |
| 4547 | 4548 |
.TP |
| 4548 | 4549 |
.B \-\-ns-cert-type client|server |
| ... | ... |
@@ -604,8 +604,10 @@ static const char usage_message[] = |
| 604 | 604 |
" of verification.\n" |
| 605 | 605 |
"--ns-cert-type t: Require that peer certificate was signed with an explicit\n" |
| 606 | 606 |
" nsCertType designation t = 'client' | 'server'.\n" |
| 607 |
+#ifdef ENABLE_X509_TRACK |
|
| 607 | 608 |
"--x509-track x : Save peer X509 attribute x in environment for use by\n" |
| 608 | 609 |
" plugins and management interface.\n" |
| 610 |
+#endif |
|
| 609 | 611 |
#if OPENSSL_VERSION_NUMBER >= 0x00907000L || USE_POLARSSL |
| 610 | 612 |
"--remote-cert-ku v ... : Require that the peer certificate was signed with\n" |
| 611 | 613 |
" explicit key usage, you can specify more than one value.\n" |
| ... | ... |
@@ -627,7 +627,7 @@ socket_defined (const socket_descriptor_t sd) |
| 627 | 627 |
/* |
| 628 | 628 |
* Enable x509-track feature? |
| 629 | 629 |
*/ |
| 630 |
-#if defined(USE_CRYPTO) && defined(USE_SSL) && defined USE_OPENSSL |
|
| 630 |
+#if defined(USE_CRYPTO) && defined(USE_SSL) && defined (USE_OPENSSL) |
|
| 631 | 631 |
#define ENABLE_X509_TRACK |
| 632 | 632 |
#endif |
| 633 | 633 |
|