diff options
| author | james <james@e7ae566f-a301-0410-adde-c780ea21d3b5> | 2006-04-05 07:17:02 +0000 |
|---|---|---|
| committer | james <james@e7ae566f-a301-0410-adde-c780ea21d3b5> | 2006-04-05 07:17:02 +0000 |
| commit | 18597b93f7b43f63173f373fbd8548f2d08e25bb (patch) | |
| tree | 31287d7784477dff653e5b92daee22872f58cab2 /openvpn.8 | |
| parent | be9150b693345134142d1d58fac9b251d7e7ba5d (diff) | |
| download | openvpn-18597b93f7b43f63173f373fbd8548f2d08e25bb.tar.gz openvpn-18597b93f7b43f63173f373fbd8548f2d08e25bb.tar.xz openvpn-18597b93f7b43f63173f373fbd8548f2d08e25bb.zip | |
I've recently worked on a better version of pkcs11-helper. I've also merged
it into QCA (Qt Cryptographic Architecture), so that KDE 4 will finally be
able to use smartcards.
The changes allows the following features:
1. Thread safe, is activated if USE_PTHREAD.
2. Slot event - Will allow us in the future to disconnect VPN when smartcard
is removed. In order to support this OpenVPN must support threading... At
least SIGUSR1 from a different thread. Threading should be supported in both
Windows and Linux. -- currently disabled.
When I talk about threading support it is just support in configuration script
and that the method that SIGUSR1 self can be called from a different thread.
I already handle the monitor threads.
3. Certificate enumeration - Will allow us to finally have one configuration
file for all users! When you add the plugin GUI stuff you talked about, we will
be able to display a list of available certificates for the user to select.
-- currently disabled.
4. Data object manipulation - Will allow us to store tls-auth on the smartcard
as well. -- currently disabled.
5. Many other minor improvements.
Alon Bar-Lev
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@990 e7ae566f-a301-0410-adde-c780ea21d3b5
Diffstat (limited to 'openvpn.8')
| -rw-r--r-- | openvpn.8 | 101 |
1 files changed, 54 insertions, 47 deletions
@@ -205,15 +205,15 @@ openvpn \- secure IP tunnel daemon. [\ \fB\-\-ping\-restart\fR\ \fIn\fR\ ] [\ \fB\-\-ping\-timer\-rem\fR\ ] [\ \fB\-\-ping\fR\ \fIn\fR\ ] +[\ \fB\-\-pkcs11\-cert\-private\fR\ \fI[0|1]...\fR\ ] +[\ \fB\-\-pkcs11\-id\fR\ \fIname\fR\ ] +[\ \fB\-\-pkcs11\-id\-type\fR\ \fItype\fR\ ] +[\ \fB\-\-pkcs11\-pin\-cache\fR\ \fIseconds\fR\ ] +[\ \fB\-\-pkcs11\-protected\-authentication\fR\ \fI[0|1]...\fR\ ] [\ \fB\-\-pkcs11\-providers\fR\ \fIprovider...\fR\ ] [\ \fB\-\-pkcs11\-sign\-mode\fR\ \fImode...\fR\ ] -[\ \fB\-\-pkcs11\-slot\-type\fR\ \fItype\fR\ ] [\ \fB\-\-pkcs11\-slot\fR\ \fIname\fR\ ] -[\ \fB\-\-pkcs11\-id\-type\fR\ \fItype\fR\ ] -[\ \fB\-\-pkcs11\-id\fR\ \fIname\fR\ ] -[\ \fB\-\-pkcs11\-pin\-cache\fR\ \fIseconds\fR\ ] -[\ \fB\-\-pkcs11\-protected\-authentication\fR\ ] -[\ \fB\-\-pkcs11\-cert\-private\fR\ ] +[\ \fB\-\-pkcs11\-slot\-type\fR\ \fItype\fR\ ] [\ \fB\-\-pkcs12\fR\ \fIfile\fR\ ] [\ \fB\-\-plugin\fR\ \fImodule\-pathname\ init\-string\fR\ ] [\ \fB\-\-port\fR\ \fIport\fR\ ] @@ -257,8 +257,8 @@ openvpn \- secure IP tunnel daemon. [\ \fB\-\-show\-ciphers\fR\ ] [\ \fB\-\-show\-digests\fR\ ] [\ \fB\-\-show\-engines\fR\ ] -[\ \fB\-\-show\-pkcs11\-slots\fR\ \fIprovider\fR\ ] [\ \fB\-\-show\-pkcs11\-objects\fR\ \fIprovider\ slot\fR\ ] +[\ \fB\-\-show\-pkcs11\-slots\fR\ \fIprovider\fR\ ] [\ \fB\-\-show\-net\-up\fR\ ] [\ \fB\-\-show\-net\fR\ ] [\ \fB\-\-show\-tls\fR\ ] @@ -3620,6 +3620,39 @@ and .B --key. .\"********************************************************* .TP +.B --pkcs11-cert-private [0|1]... +Set if access to certificate object should be performed after login. +Every provider has its own setting. +.\"********************************************************* +.TP +.B --pkcs11-id name +Specify a name of the object to search for. +.\"********************************************************* +.TP +.B --pkcs11-id-type type +Specify how to locate the correct objects. Type can be one of the following: + +.B 'id' +-- Locate by the id attribte, name should be hex encoded string. +.br +.B 'label' +-- Locate by the label attribute, name should be string. +.br +.B 'subject' +-- Locate by certificate subject attribute, name should be string. +.br +.\"********************************************************* +.TP +.B --pkcs11-pin-cache seconds +Specify how many seconds the PIN can be cached, the default is until the token is removed. +.\"********************************************************* +.TP +.B --pkcs11-protected-authentication [0|1]... +Use PKCS#11 protected authentication path, useful for biometric and external +keypad devices. +Every provider has its own setting. +.\"********************************************************* +.TP .B --pkcs11-providers provider... Specify a RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki) providers to load. @@ -3636,21 +3669,30 @@ for each provider. Mode can be one of the following: .B 'auto' (default) -- Try to determind automatically. .br +.B 'sign' +-- Use Sign. +.br .B 'recover' -- Use SignRecover. .br -.B 'sign' --- Use Sign. +.B 'any' +-- Use Sign and if not supported use SignRecover. .br .\"********************************************************* .TP +.B --pkcs11-slot name +Specify a name of the slot to search for. +.\"********************************************************* +.TP .B --pkcs11-slot-type type Specify how to locate the correct slot. Type can be one of the following: .B 'id' --- Locate the slot by a numeric id. The format is [provider:]id, for example, slot 2 of provider 1 -is encoded as 1:2. If you have only one provider you can omit the provider number. -The provider number is set by the order specified in the --pkcs11-providers option. +-- Locate the slot by a numeric id. The format is [provider:]id, for example, slot 2 of provider a.so +should be encoded as a.so:2. If you have only one provider you can omit the provider name. +The provider name is set by the name specified in the +.B --pkcs11-providers +option. .br .B 'name' -- Locate the slot by its name. @@ -3660,41 +3702,6 @@ The provider number is set by the order specified in the --pkcs11-providers opti .br .\"********************************************************* .TP -.B --pkcs11-slot name -Specify a name of the slot to search for. -.\"********************************************************* -.TP -.B --pkcs11-id-type type -Specify how to locate the correct objects. Type can be one of the following: - -.B 'id' --- Locate by the id attribte, name should be hex encoded string. -.br -.B 'label' --- Locate by the label attribute, name should be string. -.br -.B 'subject' --- Locate by certificate subject attribute, name should be string. -.br -.\"********************************************************* -.TP -.B --pkcs11-id name -Specify a name of the object to search for. -.\"********************************************************* -.TP -.B --pkcs11-pin-cache seconds -Specify how many seconds the PIN can be cached, the default is until the token is removed. -.\"********************************************************* -.TP -.B --pkcs11-protected-authentication -Use PKCS#11 protected authentication path, useful for biometric and external -keypad devices. -.\"********************************************************* -.TP -.B --pkcs11-cert-private -Set if access to certificate object should be performed after login. -.\"********************************************************* -.TP .B --cryptoapicert select-string Load the certificate and private key from the Windows Certificate System Store (Windows Only). |