On 07/05/2011 03:15 PM, David Sommerseth wrote:
Can you please use git bisect to locate the offending commit?
I figured out this never really worked with openvpn git at all.
During discussing the patch, the check for the error_depth disappeared.
So, if the root certificate lacked the extension, it would fail.
Therefore, attached a patch which accepts this kind of error if the
error_depth is != 0 - the lowest level of the cert is not reached yet.
This duplicates the behavior which is used for the fields.
I was wondering why the script tries to extract values from certificates
for any level but 0 anyway?
MfG
Markus
diff --git a/ssl.c b/ssl.c
index a0493ff..48c6be1 100644
--- a/ssl.c
+++ b/ssl.c
@@ -977,12 +977,15 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx)
{
if (!extract_x509_extension (ctx->current_cert, x509_username_field+4, common_name, sizeof(common_name)))
{
- msg (D_TLS_ERRORS, "VERIFY ERROR: could not extract %s extension from X509 subject string ('%s') "
+ if (!ctx->error_depth)
+ {
+ msg (D_TLS_ERRORS, "VERIFY ERROR: could not extract %s extension from X509 subject string ('%s') "
"-- note that the username length is limited to %d characters",
x509_username_field+4,
subject,
TLS_USERNAME_LEN);
- goto err;
+ goto err;
+ }
}
} else
#endif
