On Tue, Jun 19, 2012 at 2:20 AM, Thomas Habets wrote:
> Should be noted that the prompt is now "Enter Private Key Password:"
> instead of the engine-module generated "SRK authorization:".
Right. I can live with this... maybe in future the key names for all
kind of keys will be modified...
> But
On 18 June 2012 23:40, Alon Bar-Lev wrote:
>> Shouldn't it on be the default?
> This is a very long argument... weather to allow unsecured
> setup by default...
[googled a bit for it. I see.]
Should be noted that the prompt is now "Enter Private Key Password:"
instead of the engine-m
On Tue, Jun 19, 2012 at 1:27 AM, Thomas Habets wrote:
> When I specify --enable-password-save to ./configure askpass is able
> to read the password from a file.
Right, this is the idea, and if you use the management interface you
can specify the password via that interface.
> Seems despite what
When I specify --enable-password-save to ./configure askpass is able
to read the password from a file.
Seems despite what the --help says it actually defaults to off. :-(
Shouldn't it on be the default?
I'm not an OpenSSL ninja, but this looks suspicious:
--
if (!ENGINE_init(e))
msg (
Hello Thomas,
Thank you for your comments and help.
I've updated the branch based on your work, but with changes...
The password is secret, and there is a standard mechanism in openvpn
to handle password...
So I tried to use it.
For the conditionals, I wanted to get rid of the openssl engine
cond
I can confirm that it works. I need to specify both engine and
engine-pvk in the config though. If "engine" is not specified then
ENGINE_load_builtin_engines() is never called. If you had this in mind
then I think "engine-pvk" should require "engine". (just putting
"engine" in the config file is en
Oh...
And I forgot mentioning that the UI method should be solved, using the
default is not something that is usable for openvpn.
Can you please take care of this?
Alon.
On Mon, Jun 18, 2012 at 3:25 PM, Alon Bar-Lev wrote:
> Hello Thomas,
>
> I did not have the global variable in mind :)
>
> I t
Hello Thomas,
I did not have the global variable in mind :)
I thought about your initial suggestion of specific private key
engine, and it has value, so I added a new option.
I propose the following [1], the problem is that I cannot test this out.
While looking on the current engine implementat
Those questions are why I'd prefer to reuse the already loaded ENGINE
(engine_persist in crypto_openssl), but it didn't appear to be
exported from the crypto backend (crypto_backend.h), which is why my
previous patch added exporting of it (by means of the init function).
All versions of the patch
Yes, almost :)
Won't it better to call ENGINE_init at setup_engine() or at
try_load_engine() instead of at tls_ctx_load_priv_file()? It is just
that tls_ctx_load_priv_file() can be called more than once, while the
init should be called once, right?
Are you sure all works well if engine is not stat
Hi,
Why do we need to crypto_init_lib_engine() twice? Can you please take
a look at init_crypto_pre:: init_crypto_pre()?
I also think crypto_init_lib_engine() should not return the engine...
as won't it simpler to use ENGINE_by_id() at
ssl_openssl.c::tls_ctx_load_priv_file()?
Alon.
On Sun, Jun
Hi.
Ah yes, I first made the patch to an older version where some of these
things don't apply, and then forward-ported it.
How about this?
-
Add support for SSL engine loading the private key.
Option 'engine' is used to specify the name of the engine that
will load the private key.
For
Hello,
It is a good idea.
But first, please remove the emacs stuff.
Now, I see that the ENGINE_load_builtin_engines() is already called at
crypto_openssl.c::crypto_init_lib_engine, is there any require to
duplicate this?
There is already "engine" option, available only to polarssl, it can
easily
Patch attached.
Add support for SSL engine loading the private key.
Added option 'key-engine' specifying the name of the engine that
will load the private key.
For example this can be "tpm" to use the OpenSSL TPM engine module
(libengine-tpm-openssl in Debian).
It defaults to the built-in UI me
14 matches
Mail list logo
