After some discussion [1] regarding an extension of this feature,
James Yonan wanted this extension to be an opt-in feature. However,
as it does not make sense to opt-in on a extension of a feature which
was discussed, this patch makes the base feature an opt-in instead.
The base feature comes from commit
2e8337de248ef0b5b48cbb2964 (beta2.2)
and commit
935c62be9c0c8a256112 (feat_misc).
[1] http://thread.gmane.org/gmane.network.openvpn.devel/4266
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: James Yonan <james@openvpn.net>
(cherry picked from commit
024972e2ced84c6e5cabc43620ab510e5693d1d4)
[SSL="yes"]
)
+AC_ARG_ENABLE(x509-alt-username,
+ [ --enable-x509-alt-username Enable the --x509-username-field feature],
+ [X509ALTUSERNAME="$enableval"],
+ [X509ALTUSERNAME="no"]
+)
+
AC_ARG_ENABLE(multi,
[ --disable-multi Disable client/server support (--mode server + client mode)],
[MULTI="$enableval"],
fi
fi
+dnl enable --x509-username-field feature if requested
+if test "$X509ALTUSERNAME" = "yes"; then
+ AC_DEFINE(ENABLE_X509ALTUSERNAME, 1, [Enable --x509-username-field feature])
+fi
+
dnl enable pkcs11 capability
if test "$PKCS11" = "yes"; then
AC_CHECKING([for pkcs11-helper Library and Header files])
"--key file : Local private key in .pem format.\n"
"--pkcs12 file : PKCS#12 file containing local private key, local certificate\n"
" and optionally the root CA certificate.\n"
+#ifdef ENABLE_X509ALTUSERNAME
"--x509-username-field : Field used in x509 certificat to be username.\n"
" Default is CN.\n"
+#endif
#ifdef WIN32
"--cryptoapicert select-string : Load the certificate and private key from the\n"
" Windows Certificate System Store.\n"
o->renegotiate_seconds = 3600;
o->handshake_window = 60;
o->transition_window = 3600;
+#ifdef ENABLE_X509ALTUSERNAME
o->x509_username_field = X509_USERNAME_FIELD_DEFAULT;
#endif
#endif
+#endif
#ifdef ENABLE_PKCS11
o->pkcs11_pin_cache_period = -1;
#endif /* ENABLE_PKCS11 */
}
options->key_method = key_method;
}
+#ifdef ENABLE_X509ALTUSERNAME
else if (streq (p[0], "x509-username-field") && p[1])
{
char *s = p[1];
while ((*s = toupper(*s)) != '\0') s++; /* Uppercase if necessary */
options->x509_username_field = p[1];
}
+#endif /* ENABLE_X509ALTUSERNAME */
#endif /* USE_SSL */
#endif /* USE_CRYPTO */
#ifdef ENABLE_PKCS11
within n seconds of handshake initiation. */
int handshake_window;
+#ifdef ENABLE_X509ALTUSERNAME
/* Field used to be the username in X509 cert. */
char *x509_username_field;
+#endif
/* Old key allowed to live n seconds after new key goes active */
int transition_window;
}
else
#endif
+#ifdef ENABLE_X509ALTUSERNAME
x509_username_field = (char *) options->x509_username_field;
+#else
+ x509_username_field = X509_USERNAME_FIELD_DEFAULT;
+#endif
SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
verify_callback);
projects / thirdparty / openvpn.git / commitdiff
