509_get_sha1_hash() is supposed to return the certificate fingerprint,
which is the hash of the entire certificate - including the signature -
and not just the 'to be signed' data (cert->tbs in polarssl).
This changes externally visible behavior for polarssl builds: it will
change the value of the tls_digest_N values exported to the environment
for scripts.
v2 Steffan Karger: added commit message and Changes.rst entry.
Code unchanged from v1 by James.
Signed-off-by: James Yonan <james@openvpn.net>
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <CAA1AbxL=QYUy6N+jKgxVVuftmF=75mSEz3rYUbisT245UfB5Dg@mail.gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11396
Signed-off-by: Gert Doering <gert@greenie.muc.de>
In --static mode connect-timeout specifies the timeout for TCP and
proxy connection establishment
-
- connect-retry now specifies the maximum number of unsucessfully
trying all remote/connection entries before exiting.
* Non-ephemeral key exchange using static (EC)DH keys
* DSS private keys
+- PolarSSL builds: changed the tls_digest_N values exported to the script
+ environment to be equal to the ones exported by OpenSSL builds, namely
+ the certificate fingerprint (was the hash of the 'to be signed' data).
+
Maintainer-visible changes
--------------------------
x509_get_sha1_hash (x509_crt *cert, struct gc_arena *gc)
{
unsigned char *sha1_hash = gc_malloc(SHA_DIGEST_LENGTH, false, gc);
- sha1(cert->tbs.p, cert->tbs.len, sha1_hash);
+ sha1(cert->raw.p, cert->raw.len, sha1_hash);
return sha1_hash;
}
projects / thirdparty / openvpn.git / commitdiff
