| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In most of situations admin of OpenVPN server needs to know which
particular certificate is used by client.
In the case when certificate is OK, environment variable can be used for
that but once it is revoked, no user scripts are invoked so there is
no way to get serial number: only subject is printed in logs.
So we log certificate serial in case it is revoked.
Sponsored-by: Yandex LLC
Signed-off-by: Boris Lytochkin <lytboris@yandex-team.ru>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <55FEBF7E.3010209@yandex-team.ru>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10154
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 767e4c56becbfeea525e4695a810593f373883cd)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As requested in trac ticket #83, the daemon should not exit if opening the
CRL file during a connection attempt fails; OpenVPN should merely deny the
connection.
CRL files need to be periodically updated. When users update their CRL in
place and a connection attempt takes place simultaneously, the CRL file
might temporarily not be available, or not be in a consistent state.
Previously, that would result in the daemon exiting. With this patch, that
results in one (or possibly a few) failed connection attempts, but service
will restore automatically as soon as the CRL is again available in a valid
state.
Note that on startup OpenVPN still checks the existence and accessibility
of the CRL file, and will refuse to start on error.
While I was touching the code, I improved error reporting for the PolarSSL
code a bit. The polar code opens and parses the CRL in a single call, so
on error retrieve details from polarssl and report those to the user.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <53BED57C.7070300@fox-it.com>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The return value of x509_get_numeric_string() was interpreted incorrectly
by ssl_verify_polarssl.c's x509_verify_cert_eku(). This patch enables the
usage of oid represenation in --remote-cert-eku options.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Message-Id: <1398415277-6880-1-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8627
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e238b806f5f3843b80d5b1b2b269679210faa7f6)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This changes the representation of the tls_serial_{n} environment variable
from hex to decimal for PolarSSL builds, to match OpenSSL build behaviour.
Because hex representation for serials makes sense too, and to ease
transition for PolarSSL users, added tls_serial_hex_{n} that exports the
serial in hex represenation for both crypto library backends.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <535EB49E.5090809@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8664
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Print the *flags argument, which - for PolarSSL-1.2 - contains the reasons
that the certificate failed (pre-)verification.
Signed-off-by: Joachim Schipper <joachim.schipper@fox-it.com>
Acked-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1363942465-3251-4-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7437
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit d572959d35e8920efb8d95d253ededee5d8a34bd)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add support for PolarSSL-1.2, which has changed the API in several places.
This is a minimal port, new features have not been enabled. Only PolarSSL
1.2.5 and newer are accepted, as earlier versions contain unresolved
(security) issues.
Signed-off-by: Joachim Schipper <joachim.schipper@fox-it.com>
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Adriaan de Jong <dejong@fox-it.com>
Message-Id: <1363942465-3251-2-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7436
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 4a56d19fc3aa59d0eebd99f102ecaaa3665c5088)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cleanup of "Use the garbage collector when retrieving x509 fields"
patch series.
Discussed at [1].
There should be an effort to produce common function prologue
and epilogue, so that cleanups will be done at single point.
[1] http://comments.gmane.org/gmane.network.openvpn.devel/5401
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
Acked-by: Adriaan de Jong <dejong@fox-it.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
|
|
|
|
|
| |
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
|
|
|
|
|
| |
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
|
|
|
|
|
|
|
| |
This also cleans up a messy call in pkcs11.c to _openssl_get_subject, as discussed at FOSDEM.
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
|
|
|
|
|
|
|
| |
The serial length was one digit too short, resulting in missing digits
at the end of the certificate's stringified serial number.
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Yet another step in reducing the syshead.h content.
Conditional compilation of sources needs to be based on
a minimum program prefix (config.h only).
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
|
|
|
|
| |
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
Acked-by: Adriaan de Jong <dejong@fox-it.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
Suitable for mature project.
root - administrative stuff
doc - documents
src - sources
tests - tests
distro - distro specific files
sample - samples
SIDE EFFECT: many changes to rpm spec.
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
Acked-by: Adriaan de Jong <dejong@fox-it.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
|