to.verify_hash = options->verify_hash;
to.verify_hash_algo = options->verify_hash_algo;
to.verify_hash_depth = options->verify_hash_depth;
- to.verify_hash_no_ca = options->verify_hash_no_ca;
#ifdef ENABLE_X509ALTUSERNAME
memcpy(to.x509_username_field, options->x509_username_field, sizeof(to.x509_username_field));
#else
else
{
#ifdef ENABLE_CRYPTO_MBEDTLS
+ if (!(options->ca_file))
+ {
+ msg(M_USAGE, "You must define CA file (--ca)");
+ }
+
if (options->ca_path)
{
msg(M_USAGE, "Parameter --capath cannot be used with the mbed TLS version version of OpenVPN.");
}
-#endif /* ifdef ENABLE_CRYPTO_MBEDTLS */
+#else /* ifdef ENABLE_CRYPTO_MBEDTLS */
+ if ((!(options->ca_file)) && (!(options->ca_path)))
+ {
+ msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)");
+ }
+#endif
if (pull)
{
options_postprocess_http_proxy_override(o);
}
#endif
- if (!o->ca_file && !o->ca_path && o->verify_hash
- && o->verify_hash_depth == 0)
- {
- msg(M_INFO, "Using certificate fingerprint to verify peer (no CA "
- "option set). ");
- o->verify_hash_no_ca = true;
- }
if (o->config && streq(o->config, "stdin") && o->remap_sigusr1 == SIGHUP)
{
errs |= check_file_access_inline(options->dh_file_inline, CHKACC_FILE,
options->dh_file, R_OK, "--dh");
- if (!options->verify_hash_no_ca)
- {
- errs |= check_file_access_inline(options->ca_file_inline, CHKACC_FILE,
- options->ca_file, R_OK, "--ca");
- }
+ errs |= check_file_access_inline(options->ca_file_inline, CHKACC_FILE,
+ options->ca_file, R_OK, "--ca");
errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE,
options->ca_path, R_OK, "--capath");
struct verify_hash_list *verify_hash;
hash_algo_type verify_hash_algo;
int verify_hash_depth;
- bool verify_hash_no_ca;
unsigned int ssl_flags; /* set to SSLF_x flags from ssl.h */
#ifdef ENABLE_PKCS11
const char *remote_cert_eku;
struct verify_hash_list *verify_hash;
int verify_hash_depth;
- bool verify_hash_no_ca;
hash_algo_type verify_hash_algo;
#ifdef ENABLE_X509ALTUSERNAME
char *x509_username_field[MAX_PARMS];
struct buffer cert_fingerprint = x509_get_sha256_fingerprint(cert, &gc);
cert_hash_remember(session, cert_depth, &cert_fingerprint);
- if (session->opt->verify_hash_no_ca)
- {
- /*
- * If we decide to verify the peer certificate based on the fingerprint
- * we ignore wrong dates and the certificate not being trusted.
- * Any other problem with the certificate (wrong key, bad cert,...)
- * will still trigger an error.
- * Clearing these flags relies on verify_cert will later rejecting a
- * certificate that has no matching fingerprint.
- */
- uint32_t flags_ignore = MBEDTLS_X509_BADCERT_NOT_TRUSTED
- | MBEDTLS_X509_BADCERT_EXPIRED
- | MBEDTLS_X509_BADCERT_FUTURE;
- *flags = *flags & ~flags_ignore;
- }
-
/* did peer present cert which was signed by our root cert? */
if (*flags != 0)
{
cert_hash_remember(session, X509_STORE_CTX_get_error_depth(ctx), &cert_hash);
/* did peer present cert which was signed by our root cert? */
- if (!preverify_ok && !session->opt->verify_hash_no_ca)
+ if (!preverify_ok)
{
/* get the X509 name */
char *subject = x509_get_subject(current_cert, &gc);
projects / thirdparty / openvpn.git / commitdiff
