On 9/27/07, Faidon Liambotis <parav...@debian.org> wrote: > Alon, ping?
Oh... missed your post. Please don't keep change the subject line. And replay all to every correction. > I'd really like to have this patch merged this time. > If you don't, just say so, so it can get merged. Only James can merge patches... I only review this as I can help you improve it. > If you have any more comments or objections, just say so so I can fix them. Some more notes: 1. For CertGetCertificateChain() you should use the following flags: CERT_CHAIN_REVOCATION_CHECK_CHAIN So that CA may suicide. 2. CertVerifyCertificateChainPolicy() PolicyPara extra should be set: fdwChecks should be SECURITY_FLAG_IGNORE_CERT_CN_INVALID as we check subject name within OpenVPN. dwAuthType should be AUTHTYPE_CLIENT or AUTHTYPE_SERVER depending on the configuration. I think that peer-to-peer should be AUTHTYPE_SERVER. 3. I am not sure you require: ChainPara.RequestedUsage = <something> Have you tried to leave it zero? 4. I guess a cleaner code would load crypt32.dll once in the module, moving the LoadLibrary and GetProcAddress to a single function, calling it from initialization code. Also if you already mess with this module, I guess a cleanup code should be added to free the library during termination... :) Best Regards, Alon Bar-Lev.