Re: [Openvpn-devel] [PATCH] Always load intermediate certificates from a PKCS#12 file

Fri, 16 Aug 2013 16:59:39 +0000 

Hi,

On Thu, Jun 20, 2013 at 02:06:25PM +0300, Heikki Hannikainen wrote:
> >From cec65ff199443c7f95101a7bf4a75644516d7810 Mon Sep 17 00:00:00 2001
> From: Heikki Hannikainen <he...@hes.iki.fi>
> Date: Thu, 20 Jun 2013 13:49:44 +0300
> Subject: [PATCH] Load intermediate certificates from a PKCS#12 file and place
>   them in the extra certs chain, when trusted CA certs are
>   loaded from an external PEM file with the --ca option, and
>   the CA certs in PKCS#12 are not to be trusted.
[..]

Based on the discussion at the meeting and the ACKs given there, patch
has been applied to the master and release/2.3 branches.

commit 6481f879eb62cafa6ad652801b2b5c45e546ef44 (master)
commit 09a002b7eba6c192393de7a60b5753173d4f400d (release/2.3)

gert


commit 6481f879eb62cafa6ad652801b2b5c45e546ef44
Author: Heikki Hannikainen <he...@hes.iki.fi>
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Thu Jun 20 14:06:25 2013 +0300

    Always load intermediate certificates from a PKCS#12 file
    
    Load intermediate certificates from a PKCS#12 file and place them in the
    extra certs chain, when trusted CA certs are loaded from an external PEM
    file with the --ca option, and the CA certs in PKCS#12 are not to be 
trusted.
    
    Required when client PKCS#12 file is provided by a different CA
    than the server CA, the PKCS#12 file contains intermediate certificates
    required for client auth, but the server CA is not in the PKCS#12 file.
    
    When --ca is set, the PKCS#12 provided CA certs are not trusted. Without
    this patch, they were ignored completely - with this patch, they're loaded
    in the extra certs chain which makes them available for chain verification
    but still does not make them trusted if --ca is set. Unless when, of
    course, a trusted root is found from the --ca file.
    
    Acked-by: James Yonan <ja...@openvpn.net>
    Acked-by: Arne Schwabe <a...@rfc2549.org>
    Acked-by: Steffan Karger <steffan.kar...@fox-it.com>
    Message-Id: <alpine.deb.2.02.1306201400320.10...@jazz.he.fi>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/7721
    
    Signed-off-by: Gert Doering <g...@greenie.muc.de>
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             g...@greenie.muc.de
fax: +49-89-35655025                        g...@net.informatik.tu-muenchen.de

Attachment: pgpSvrp_7b1oN.pgp
Description: PGP signature

Reply via email to