summaryrefslogtreecommitdiffstats
path: root/src/openvpn/ssl_verify_polarssl.c
Commit message (Collapse)AuthorAgeFilesLines
* Log serial number of revoked certificateBoris Lytochkin2015-09-201-1/+5
| | | | | | | | | | | | | | | | | | | | In most of situations admin of OpenVPN server needs to know which particular certificate is used by client. In the case when certificate is OK, environment variable can be used for that but once it is revoked, no user scripts are invoked so there is no way to get serial number: only subject is printed in logs. So we log certificate serial in case it is revoked. Sponsored-by: Yandex LLC Signed-off-by: Boris Lytochkin <lytboris@yandex-team.ru> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <55FEBF7E.3010209@yandex-team.ru> URL: http://article.gmane.org/gmane.network.openvpn.devel/10154 Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit 767e4c56becbfeea525e4695a810593f373883cd)
* Don't exit daemon if opening or parsing the CRL fails.Steffan Karger2014-07-101-2/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | As requested in trac ticket #83, the daemon should not exit if opening the CRL file during a connection attempt fails; OpenVPN should merely deny the connection. CRL files need to be periodically updated. When users update their CRL in place and a connection attempt takes place simultaneously, the CRL file might temporarily not be available, or not be in a consistent state. Previously, that would result in the daemon exiting. With this patch, that results in one (or possibly a few) failed connection attempts, but service will restore automatically as soon as the CRL is again available in a valid state. Note that on startup OpenVPN still checks the existence and accessibility of the CRL file, and will refuse to start on error. While I was touching the code, I improved error reporting for the PolarSSL code a bit. The polar code opens and parses the CRL in a single call, so on error retrieve details from polarssl and report those to the user. Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <53BED57C.7070300@fox-it.com> Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix bug that incorrectly refuses oid representation eku's in polar buildsSteffan Karger2014-06-241-1/+1
| | | | | | | | | | | | | The return value of x509_get_numeric_string() was interpreted incorrectly by ssl_verify_polarssl.c's x509_verify_cert_eku(). This patch enables the usage of oid represenation in --remote-cert-eku options. Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Message-Id: <1398415277-6880-1-git-send-email-steffan.karger@fox-it.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/8627 Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit e238b806f5f3843b80d5b1b2b269679210faa7f6)
* Make serial env exporting consistent amongst OpenSSL and PolarSSL builds.Steffan Karger2014-04-301-1/+41
| | | | | | | | | | | | | | | This changes the representation of the tls_serial_{n} environment variable from hex to decimal for PolarSSL builds, to match OpenSSL build behaviour. Because hex representation for serials makes sense too, and to ease transition for PolarSSL users, added tls_serial_hex_{n} that exports the serial in hex represenation for both crypto library backends. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <535EB49E.5090809@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8664 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Improve verify_callback messagesSteffan Karger2013-03-221-3/+3
| | | | | | | | | | | | | Print the *flags argument, which - for PolarSSL-1.2 - contains the reasons that the certificate failed (pre-)verification. Signed-off-by: Joachim Schipper <joachim.schipper@fox-it.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1363942465-3251-4-git-send-email-steffan.karger@fox-it.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/7437 Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit d572959d35e8920efb8d95d253ededee5d8a34bd)
* PolarSSL-1.2 supportSteffan Karger2013-03-221-12/+9
| | | | | | | | | | | | | | | Add support for PolarSSL-1.2, which has changed the API in several places. This is a minimal port, new features have not been enabled. Only PolarSSL 1.2.5 and newer are accepted, as earlier versions contain unresolved (security) issues. Signed-off-by: Joachim Schipper <joachim.schipper@fox-it.com> Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Message-Id: <1363942465-3251-2-git-send-email-steffan.karger@fox-it.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/7436 Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit 4a56d19fc3aa59d0eebd99f102ecaaa3665c5088)
* cleanup: gc usageAlon Bar-Lev2012-04-021-7/+11
| | | | | | | | | | | | | | | | Cleanup of "Use the garbage collector when retrieving x509 fields" patch series. Discussed at [1]. There should be an effort to produce common function prologue and epilogue, so that cleanups will be done at single point. [1] http://comments.gmane.org/gmane.network.openvpn.devel/5401 Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Signed-off-by: David Sommerseth <davids@redhat.com>
* Migrated x509_get_sha1_hash to use the garbage collectorAdriaan de Jong2012-03-301-14/+3
| | | | | | | Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
* Migrated x509_get_serial to use the garbage collectorAdriaan de Jong2012-03-301-14/+3
| | | | | | | Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
* Migrated x509_get_subject to use of the garbage collectorAdriaan de Jong2012-03-301-15/+11
| | | | | | | | | This also cleans up a messy call in pkcs11.c to _openssl_get_subject, as discussed at FOSDEM. Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
* Fixed off-by-one in serial length calculationAdriaan de Jong2012-03-291-1/+1
| | | | | | | | | The serial length was one digit too short, resulting in missing digits at the end of the certificate's stringified serial number. Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
* build: move out config.h include from sysheadAlon Bar-Lev2012-03-221-0/+6
| | | | | | | | | | | Yet another step in reducing the syshead.h content. Conditional compilation of sources needs to be based on a minimum program prefix (config.h only). Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
* build: proper crypto detection and usageAlon Bar-Lev2012-03-221-3/+3
| | | | | | Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Signed-off-by: David Sommerseth <davids@redhat.com>
* build: standard directory layoutAlon Bar-Lev2012-03-221-0/+425
Suitable for mature project. root - administrative stuff doc - documents src - sources tests - tests distro - distro specific files sample - samples SIDE EFFECT: many changes to rpm spec. Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Signed-off-by: David Sommerseth <davids@redhat.com>
generated by cgit (git 2.34.1) at 2024-05-19 02:19:15 +0000