mirror of
https://github.com/OpenVPN/openvpn.git
synced 2024-11-23 17:53:49 +08:00
17d1ab90c2
OpenSSL 1.1 does not allow us to directly access the internal of any data type, including X509. We have to use the defined functions to do so. In x509_verify_ns_cert_type() in particular, this means that we cannot directly check for the extended flags to find whether the certificate should be used as a client or as a server certificate. We need to leverage the X509_check_purpose() API yet this API is far stricter than the currently implemented check. So far, I have not been able to find a situation where this stricter test fails (although I must admit that I haven't tested that very well). We double-check the certificate purpose using "direct access" to the internal of the certificate object (of course, this is not a real direct access, but we still fetch ASN1 strings within the X509 object and we check the internal value of these strings). This allow us to warn the user if there is a discrepancy between the X509_check_purpose() return value and our internal, less strict check. We use these changes to make peer_cert a non-const parameter to x509_verify_ns_cert_type(). The underlying library waits for a non-const pointer, and forcing it to be a const pointer does not make much sense (please note that this has an effect on the mbedtls part too). Compatibility with OpenSSL 1.0 is kept by defining the corresponding functions when they are not found in the library. Signed-off-by: Emmanuel Deloget <logout@free.fr> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <20170612134330.20971-2-logout@free.fr> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14792.html Signed-off-by: Gert Doering <gert@greenie.muc.de> |
||
|---|---|---|
| .github | ||
| .travis | ||
| build | ||
| contrib | ||
| debug | ||
| dev-tools | ||
| distro | ||
| doc | ||
| include | ||
| m4 | ||
| sample | ||
| src | ||
| tests | ||
| vendor | ||
| .gitattributes | ||
| .gitignore | ||
| .gitmodules | ||
| .mailmap | ||
| .svncommitters | ||
| .travis.yml | ||
| AUTHORS | ||
| ChangeLog | ||
| Changes.rst | ||
| compat.m4 | ||
| config-msvc-version.h.in | ||
| config-msvc.h | ||
| configure.ac | ||
| CONTRIBUTING.rst | ||
| COPYING | ||
| COPYRIGHT.GPL | ||
| INSTALL | ||
| Makefile.am | ||
| msvc-build.bat | ||
| msvc-dev.bat | ||
| msvc-env.bat | ||
| NEWS | ||
| openvpn.sln | ||
| PORTS | ||
| README | ||
| README.ec | ||
| README.IPv6 | ||
| README.polarssl | ||
| TODO.IPv6 | ||
| version.m4 | ||
| version.sh.in | ||
OpenVPN -- A Secure tunneling daemon Copyright (C) 2002-2010 OpenVPN Technologies, Inc. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License version 2 as published by the Free Software Foundation. ************************************************************************* To get the latest release of OpenVPN, go to: https://openvpn.net/index.php/download/community-downloads.html To Build and Install, tar -zxf openvpn-<version>.tar.gz cd openvpn-<version> ./configure make make install or see the file INSTALL for more info. ************************************************************************* For detailed information on OpenVPN, including examples, see the man page http://openvpn.net/man.html For a sample VPN configuration, see http://openvpn.net/howto.html To report an issue, see https://community.openvpn.net/openvpn/report For a description of OpenVPN's underlying protocol, see the file ssl.h included in the source distribution. ************************************************************************* Other Files & Directories: * configure.ac -- script to rebuild our configure script and makefile. * sample/sample-scripts/verify-cn A sample perl script which can be used with OpenVPN's --tls-verify option to provide a customized authentication test on embedded X509 certificate fields. * sample/sample-keys/ Sample RSA keys and certificates. DON'T USE THESE FILES FOR ANYTHING OTHER THAN TESTING BECAUSE THEY ARE TOTALLY INSECURE. * sample/sample-config-files/ A collection of OpenVPN config files and scripts from the HOWTO at http://openvpn.net/howto.html ************************************************************************* Note that easy-rsa and tap-windows are now maintained in their own subprojects. Their source code is available here: https://github.com/OpenVPN/easy-rsa https://github.com/OpenVPN/tap-windows The old cross-compilation environment (domake-win) and the Python-based buildsystem have been replaced with openvpn-build: https://github.com/OpenVPN/openvpn-build See the INSTALL file for usage information.