From: Adriaan de Jong Date: Tue, 5 Jul 2011 11:09:13 +0000 (+0200) Subject: Disabled X.509 track and username selection for PolarSSL X-Git-Tag: v2.3-alpha1~91 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7dd8bbf574672b60d4776bee0ef9908cf1f49c2f;p=thirdparty%2Fopenvpn.git Disabled X.509 track and username selection for PolarSSL Signed-off-by: Adriaan de Jong Acked-by: James Yonan Signed-off-by: David Sommerseth --- diff --git a/README.polarssl b/README.polarssl index bd066e4b4..77a95750d 100644 --- a/README.polarssl +++ b/README.polarssl @@ -7,17 +7,22 @@ To Build and Install, make make install +This version depends on at least PolarSSL v0.99. + ************************************************************************* -The following features are missing in the PolarSSL version of OpenVPN: +Due to limitations in the PolarSSL library, the following features are missing +in the PolarSSL version of OpenVPN: - * ca_path support - Loading certificate authorities from a directory * PKCS#12 file support + * --capath support - Loading certificate authorities from a directory * Windows CryptoAPI support * Management external key support - * X509 alternative username fields (must be "CN") + * X.509 alternative username fields (must be "CN") + +Plugin/Script features: - TODO: - * serial is in Hex - * X509 certificate export - * X.509 tracking + * X.509 Serial number is in hex, not decimal as with OpenSSL + * X.509 subject line has a different format than the OpenSSL subject line + * X.509 certificate export does not work + * X.509 certificate tracking diff --git a/configure.ac b/configure.ac index bbdd71391..a6b3019ff 100644 --- a/configure.ac +++ b/configure.ac @@ -840,6 +840,10 @@ fi dnl enable --x509-username-field feature if requested if test "$X509ALTUSERNAME" = "yes"; then + if test "$SSL_LIB" = "polarssl" ; then + AC_MSG_ERROR([PolarSSL does not support the --x509-username-field feature]) + fi + AC_DEFINE(ENABLE_X509ALTUSERNAME, 1, [Enable --x509-username-field feature]) fi diff --git a/openvpn.8 b/openvpn.8 index 12547c4ff..b8594e1ac 100644 --- a/openvpn.8 +++ b/openvpn.8 @@ -4543,6 +4543,7 @@ to save values from full cert chain. Values will be encoded as X509__=. Multiple .B \-\-x509-track options can be defined to track multiple attributes. +Not available with PolarSSL. .\"********************************************************* .TP .B \-\-ns-cert-type client|server diff --git a/options.c b/options.c index bed6c4b48..398543990 100644 --- a/options.c +++ b/options.c @@ -604,8 +604,10 @@ static const char usage_message[] = " of verification.\n" "--ns-cert-type t: Require that peer certificate was signed with an explicit\n" " nsCertType designation t = 'client' | 'server'.\n" +#ifdef ENABLE_X509_TRACK "--x509-track x : Save peer X509 attribute x in environment for use by\n" " plugins and management interface.\n" +#endif #if OPENSSL_VERSION_NUMBER >= 0x00907000L || USE_POLARSSL "--remote-cert-ku v ... : Require that the peer certificate was signed with\n" " explicit key usage, you can specify more than one value.\n" diff --git a/syshead.h b/syshead.h index 0e8edf34c..f3c0ac9bb 100644 --- a/syshead.h +++ b/syshead.h @@ -627,7 +627,7 @@ socket_defined (const socket_descriptor_t sd) /* * Enable x509-track feature? */ -#if defined(USE_CRYPTO) && defined(USE_SSL) && defined USE_OPENSSL +#if defined(USE_CRYPTO) && defined(USE_SSL) && defined (USE_OPENSSL) #define ENABLE_X509_TRACK #endif