On Sun, Aug 15, 2021 at 6:26 PM <selva.n...@gmail.com> wrote: > From: Selva Nair <selva.n...@gmail.com> > > v2 changes > - do not allow so-path embedded in cert and key uri > - add --pkcs11-engine option to optionally specify the > engine and provider module to use > v3: rebase to master > > If either --cert or --key is specified as a PKCS#11 uri, try to > load the certificate and key from any accessible PKCS#11 device. > This does not require linking with any pkcs11 library, but needs > pkcs11 engine to be available on the target machine. > > In its simplest form, just have > > --cert 'pkcs11:id=%01' >
I'm withdrawing this patch as it has no prospects going forward with engines on their way out in OpenSSL 3.0 and beyond. Withdrawing is also an honourable way out when no one seems to care :) That said, in the spirit of this patch, I think we should consider reusing "--cert" and, optionally, "--key" options when newer ways of specifying the certificate are introduced: like "--cert <uri>" instead of a new option "--cryptoapi-cert <foo>" etc. Selva
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
