diff options
author | Adriaan de Jong <dejong@fox-it.com> | 2011-06-29 16:30:38 +0200 |
---|---|---|
committer | David Sommerseth <davids@redhat.com> | 2011-10-19 22:31:46 +0200 |
commit | b5563f1154a4a4e1d4742b7194e4974a3b53b78f (patch) | |
tree | 1a42b4a1ee18a38c67db8cf6f0c9682322a309e4 /ssl_verify_openssl.h | |
parent | ac3e8d62ba14d4ee376fd3c9f20bccc3e53e7371 (diff) | |
download | openvpn-b5563f1154a4a4e1d4742b7194e4974a3b53b78f.tar.gz openvpn-b5563f1154a4a4e1d4742b7194e4974a3b53b78f.tar.xz openvpn-b5563f1154a4a4e1d4742b7194e4974a3b53b78f.zip |
Refactored root TLS option settings
- Started merge of new feature (x509_altnames), will continue in a
future patch
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: David Sommerseth <davids@redhat.com>
Diffstat (limited to 'ssl_verify_openssl.h')
-rw-r--r-- | ssl_verify_openssl.h | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/ssl_verify_openssl.h b/ssl_verify_openssl.h index e48f109..099788a 100644 --- a/ssl_verify_openssl.h +++ b/ssl_verify_openssl.h @@ -32,4 +32,39 @@ #define SSL_VERIFY_OPENSSL_H_ #include <openssl/x509.h> +/** @name Function for authenticating a new connection from a remote OpenVPN peer + * @{ */ + +/** + * Verify that the remote OpenVPN peer's certificate allows setting up a + * VPN tunnel. + * @ingroup control_tls + * + * This callback function is called every time a new TLS session is being + * setup to determine whether the remote OpenVPN peer's certificate is + * allowed to connect. It is called for once for every certificate in the chain. + * The callback functionality is configured in the \c init_ssl() function, which + * calls the OpenSSL library's \c SSL_CTX_set_verify() function with \c + * verify_callback() as its callback argument. + * + * It checks preverify_ok, and registers the certificate hash. If these steps + * succeed, it calls the \c verify_cert() function, which performs + * OpenVPN-specific verification. + * + * @param preverify_ok - Whether the remote OpenVPN peer's certificate + * past verification. A value of 1 means it + * verified successfully, 0 means it failed. + * @param ctx - The complete context used by the OpenSSL library + * to verify the certificate chain. + * + * @return The return value indicates whether the supplied certificate is + * allowed to set up a VPN tunnel. The following values can be + * returned: + * - \c 0: failure, this certificate is not allowed to connect. + * - \c 1: success, this certificate is allowed to connect. + */ +int verify_callback (int preverify_ok, X509_STORE_CTX * ctx); + +/** @} name Function for authenticating a new connection from a remote OpenVPN peer */ + #endif /* SSL_VERIFY_OPENSSL_H_ */ |