git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Selva Nair <selva.nair@gmail.com>
	Sat, 20 Jan 2018 04:52:54 +0000 (23:52 -0500)
committer	Gert Doering <gert@greenie.muc.de>
	Thu, 25 Jan 2018 09:00:05 +0000 (10:00 +0100)
commit	6c54745b8d417a534a6081588b1ecc7ff01fa9f7
tree	ec07986e9fef9e774be557ad8e51f0ebcce14a14	tree \| snapshot
parent	f3fd673337f4c7d147e7a3a3530de96729775d68	commit \| diff

TLS v1.2 support for cryptoapicert -- RSA only

- If an NCRYPT handle for the private key can be obtained, use
  NCryptSignHash from the Cryptography NG API to sign the hash.

  This should work for all keys in the Windows certifiate stores
  but may fail for keys in a legacy token, for example. In such
  cases, we disable TLS v1.2 and fall back to the current
  behaviour. A warning is logged unless TLS version is already
  restricted to <= 1.1

Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1516423974-22159-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16288.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 51d57d7dad6c6380df7b76bbec1897ea4f98474d)

src/openvpn/Makefile.am		diff \| blob \| blame \| history
src/openvpn/cryptoapi.c		diff \| blob \| blame \| history
src/openvpn/options.c		diff \| blob \| blame \| history