Hi,
At the moment, openVPN is unnecessarily blocking the usage of both PKCS#12
certificate and additional CA´s provided in PEM files.
This is a patch for openVPN, to make it possible to use both PKCS#12 and
additonal CA´s for verification.
PS: Please CC me on any answers.
Best regards,
Philipp Gühring
--- options.c.orig 2006-01-10 16:46:50.000000000 +0100
+++ options.c 2006-01-10 16:47:11.000000000 +0100
@@ -1582,8 +1582,8 @@
#endif
if (options->pkcs12_file)
{
- if (options->ca_file)
- msg(M_USAGE, "Parameter --ca cannot be used when --pkcs12 is also specified.");
+// if (options->ca_file)
+// msg(M_USAGE, "Parameter --ca cannot be used when --pkcs12 is also specified.");
if (options->cert_file)
msg(M_USAGE, "Parameter --cert cannot be used when --pkcs12 is also specified.");
if (options->priv_key_file)
--- ssl.c.orig 2005-11-01 12:06:10.000000000 +0100
+++ ssl.c 2006-01-10 16:48:45.000000000 +0100
@@ -842,6 +842,24 @@
msg (M_SSLERR, "Cannot add certificate to client CA list (SSL_CTX_add_client_CA)");
}
}
+
+ /* Load CA file for verifying peer supplied certificate */
+ if(options->ca_file)
+ {
+ if (!SSL_CTX_load_verify_locations (ctx, options->ca_file, NULL))
+ msg (M_SSLERR, "Cannot load CA certificate file %s (SSL_CTX_load_verify_locations)", options->ca_file);
+
+ /* Load names of CAs from file and use it as a client CA list */
+ {
+ STACK_OF(X509_NAME) *cert_names;
+ cert_names = SSL_load_client_CA_file (options->ca_file);
+ if (!cert_names)
+ msg (M_SSLERR, "Cannot load CA certificate file %s (SSL_load_client_CA_file)", options->ca_file);
+ SSL_CTX_set_client_CA_list (ctx, cert_names);
+ }
+ }
+
+
}
else
{
