Attention is currently required from: plaisthos.

cron2 has posted comments on this change. ( )

The change is no longer submittable: Code-Review is unsatisfied now.

Change subject: Implement the --tls-export-cert feature

Patch Set 6: Code-Review-2



Tested, does not crash, but only exports level 0 cert (level 1 variable is set, 
but no such file exists).

File doc/man-sections/script-options.rst: :
PS6, Line 426: --tls-export-cert-path dir
the manpage calls the option "tls-export-cert-path", while options.c checks for 
"tls-export-cert" (only, no "new option and also old option for compat 
reasons") - this needs to be resolved (and keeping the old option name 
everywhere is better for not breaking people's configs - so the documentation 
needs to be fixed)

File src/openvpn/init.c: :
PS6, Line 3339:     to.export_peer_cert_dir = 
why call this "_dir" in the to, and "_path" in options-> ?

File src/openvpn/ssl_verify.c: :
PS6, Line 734:     if (opt->export_peer_cert_dir)
Something is not right here.  So the function does set up multiple environment 
variables, but only one file is ever created...

I do a "ls -l $peer_cert_2 $peer_cert_1 $peer_cert0" in my tls-verify-script, 
and this is what I see

-rw------- 1 root root 1830 Dec 18 18:39 

... only one file.

For "multiple files", I would have expected to find the filenames in an array 
so they can all be deleted at the end (and no dangling files), but if only one 
file is ever created, no array is needed...

To view, visit
To unsubscribe, or for help writing mail filters, visit

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ia9b3f1813d2d0d492d17c87348b4cebd0bf19ce2
Gerrit-Change-Number: 466
Gerrit-PatchSet: 6
Gerrit-Owner: plaisthos <>
Gerrit-Reviewer: cron2 <>
Gerrit-Reviewer: flichtenheld <>
Gerrit-CC: openvpn-devel <>
Gerrit-Attention: plaisthos <>
Gerrit-Comment-Date: Mon, 18 Dec 2023 17:42:02 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
Gerrit-MessageType: comment
Openvpn-devel mailing list

Reply via email to