As promised in the thread "use pkcs12 certificates or not" on
openvpn-users list, here is a patch that enables the use of --ca together
with --pkcs12.
If --ca is used at the same time as --pkcs12 the CA certificate is loaded
from the file specified by --ca regardless if the pkcs12 file contain a CA
cert or not.
Tested on windows with both a seperate CA file and with the CA file
bundled in the pkcs12 archive.
The patch is also available here:
http://openvpn.se/files/patches/openvpn-2.0.2-pkcs12_seperate_ca.patch
--
_____________________________________________________________
Mathias Sundman (^) ASCII Ribbon Campaign
OpenVPN GUI for Windows X NO HTML/RTF in e-mail
http://openvpn.se/ / \ NO Word docs in e-mail
diff -urN openvpn-2.0.2/options.c openvpn-2.0.2-ca/options.c
--- openvpn-2.0.2/options.c Thu Aug 4 01:16:28 2005
+++ openvpn-2.0.2-ca/options.c Mon Sep 19 21:05:22 2005
@@ -401,7 +401,7 @@
" by a Certificate Authority in --ca file.\n"
"--key file : Local private key in .pem format.\n"
"--pkcs12 file : PKCS#12 file containing local private key, local
certificate\n"
- " and root CA certificate.\n"
+ " and optionally the root CA certificate.\n"
#ifdef WIN32
"--cryptoapicert select-string : Load the certificate and private key from
the\n"
" Windows Certificate System Store.\n"
@@ -1582,8 +1582,6 @@
#endif
if (options->pkcs12_file)
{
- if (options->ca_file)
- msg(M_USAGE, "Parameter --ca cannot be used when --pkcs12 is also
specified.");
if (options->cert_file)
msg(M_USAGE, "Parameter --cert cannot be used when --pkcs12 is also
specified.");
if (options->priv_key_file)
diff -urN openvpn-2.0.2/ssl.c openvpn-2.0.2-ca/ssl.c
--- openvpn-2.0.2/ssl.c Thu Aug 4 12:50:08 2005
+++ openvpn-2.0.2-ca/ssl.c Mon Sep 19 21:00:26 2005
@@ -832,14 +832,17 @@
msg (M_SSLERR, "Private key does not match the certificate");
/* Set Certificate Verification chain */
- if (ca && sk_num(ca))
+ if (!options->ca_file)
{
- for (i = 0; i < sk_X509_num(ca); i++)
+ if (ca && sk_num(ca))
{
- if (!X509_STORE_add_cert(ctx->cert_store,sk_X509_value(ca, i)))
- msg (M_SSLERR, "Cannot add certificate to certificate chain
(X509_STORE_add_cert)");
- if (!SSL_CTX_add_client_CA(ctx, sk_X509_value(ca, i)))
- msg (M_SSLERR, "Cannot add certificate to client CA list
(SSL_CTX_add_client_CA)");
+ for (i = 0; i < sk_X509_num(ca); i++)
+ {
+ if (!X509_STORE_add_cert(ctx->cert_store,sk_X509_value(ca,
i)))
+ msg (M_SSLERR, "Cannot add certificate to certificate
chain (X509_STORE_add_cert)");
+ if (!SSL_CTX_add_client_CA(ctx, sk_X509_value(ca, i)))
+ msg (M_SSLERR, "Cannot add certificate to client CA list
(SSL_CTX_add_client_CA)");
+ }
}
}
}
@@ -885,7 +888,10 @@
msg (M_SSLERR, "Private key does not match the certificate");
}
}
+ }
+ if (options->ca_file)
+ {
/* Load CA file for verifying peer supplied certificate */
ASSERT (options->ca_file);
if (!SSL_CTX_load_verify_locations (ctx, options->ca_file, NULL))
@@ -899,9 +905,8 @@
msg (M_SSLERR, "Cannot load CA certificate file %s
(SSL_load_client_CA_file)", options->ca_file);
SSL_CTX_set_client_CA_list (ctx, cert_names);
}
-
}
-
+
/* Enable the use of certificate chains */
if (using_cert_file)
{
