-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 16/05/12 09:17, Alon Bar-Lev wrote:
> Hello David,
>
> I guess this is yours: --- * Additions for eurephia plugin done
> by: * David Sommerseth <d...@users.sourceforge.net>
> Copyright (C) 2009 ---
>
> Looking at the code the eurephia plugin only do the following: ---
> #ifdef ENABLE_PLUGIN_EUREPHIA /* export X509 cert SHA1 fingerprint
> */ { unsigned char *sha1_hash = x509_get_sha1_hash(peer_cert,
> &gc);
>
> openvpn_snprintf (envname, sizeof(envname), "tls_digest_%d",
> cert_depth); setenv_str (es, envname, format_hex_ex(sha1_hash,
> SHA_DIGEST_LENGTH, 0, 1, ":", &gc)); } #endif ---
>
> Can you please explain what this plugin is and why just remove the
> conditional?
You can find more info about the plug-in here: http://www.eurephia.net/
Basically, it's a username/password authentication plug-in which also
matches a user account up against a certificate too (plus some extra
features too as well). The 'tls_digest_%d' environment variable is
used to get better data when matching certificates information against
the database.
I've been thinking that this whole #ifdef could go away in v2.4. It
was a requirement from James to make this optional which is the reason
it is how it is. He wanted to be sure it can be disabled if there
were stability concerns. As this has been enabled by default in 2.2
and will be in 2.3, I thought 2.4 would be a reasonable time to
confirm the stability.
The [eurephia] string can also be removed then from options.c too; and
I'll make sure the eurephia docs states that v2.4 contains the support
even though not explicitly announced.
kind regards,
David Sommerseth
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk+zgQkACgkQDC186MBRfroUOACgq5B9bBvDJR59e9C3RKcUBA82
+TUAnj2cduK0b4CgfKw8sDh4JJ2k6N4j
=5ndC
-----END PGP SIGNATURE-----
