From: james Date: Sat, 1 Oct 2005 11:10:12 +0000 (+0000) Subject: Renamed sample-keys/tmp-ca.crt to ca.crt. X-Git-Tag: v2.1_rc1~156 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c70caa7fd4a631f42b136bdcf3c5199774ed09e5;p=thirdparty%2Fopenvpn.git Renamed sample-keys/tmp-ca.crt to ca.crt. Fixed bug where remove_iroutes_from_push_route_list was missing routes if those routes had an implied netmask (by omission) of 255.255.255.255. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@587 e7ae566f-a301-0410-adde-c780ea21d3b5 --- diff --git a/openvpn.8 b/openvpn.8 index 8d55815a0..2d40ca91f 100644 --- a/openvpn.8 +++ b/openvpn.8 @@ -3363,15 +3363,15 @@ certificate. This file can have multiple certificates in .pem format, concatenated together. You can construct your own certificate authority certificate and private key by using a command such as: -.B openssl req -nodes -new -x509 -keyout tmp-ca.key -out tmp-ca.crt +.B openssl req -nodes -new -x509 -keyout ca.key -out ca.crt Then edit your openssl.cnf file and edit the .B certificate variable to point to your new root certificate -.B tmp-ca.crt. +.B ca.crt. For testing purposes only, the OpenVPN distribution includes a sample -CA certificate (tmp-ca.crt). +CA certificate (ca.crt). Of course you should never use the test certificates and test keys distributed with OpenVPN in a production environment, since by virtue of the fact that @@ -5001,9 +5001,9 @@ Diffie Hellman parameters (see above where .B --dh is discussed for more info). You can also use the included test files client.crt, client.key, -server.crt, server.key and tmp-ca.crt. +server.crt, server.key and ca.crt. The .crt files are certificates/public-keys, the .key -files are private keys, and tmp-ca.crt is a certification +files are private keys, and ca.crt is a certification authority who has signed both client.crt and server.crt. For Diffie Hellman parameters you can use the included file dh1024.pem. @@ -5011,11 +5011,11 @@ parameters you can use the included file dh1024.pem. .LP On may: .IP -.B openvpn --remote june.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --tls-client --ca tmp-ca.crt --cert client.crt --key client.key --reneg-sec 60 --verb 5 +.B openvpn --remote june.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --tls-client --ca ca.crt --cert client.crt --key client.key --reneg-sec 60 --verb 5 .LP On june: .IP -.B openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --tls-server --dh dh1024.pem --ca tmp-ca.crt --cert server.crt --key server.key --reneg-sec 60 --verb 5 +.B openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --tls-server --dh dh1024.pem --ca ca.crt --cert server.crt --key server.key --reneg-sec 60 --verb 5 .LP Now verify the tunnel is working by pinging across the tunnel. .LP diff --git a/push.c b/push.c index 3db8e74cb..e5c940a1d 100644 --- a/push.c +++ b/push.c @@ -273,12 +273,12 @@ remove_iroutes_from_push_route_list (struct options *o) if (parse_line (line, p, SIZE (p), "[PUSH_ROUTE_REMOVE]", 1, D_ROUTE_DEBUG, &gc)) { /* is the push item a route directive? */ - if (p[0] && p[1] && p[2] && !strcmp (p[0], "route")) + if (p[0] && !strcmp (p[0], "route") && !p[3]) { /* get route parameters */ bool status1, status2; const in_addr_t network = getaddr (GETADDR_HOST_ORDER, p[1], 0, &status1, NULL); - const in_addr_t netmask = getaddr (GETADDR_HOST_ORDER, p[2], 0, &status2, NULL); + const in_addr_t netmask = getaddr (GETADDR_HOST_ORDER, p[2] ? p[2] : "255.255.255.255", 0, &status2, NULL); /* did route parameters parse correctly? */ if (status1 && status2) @@ -288,7 +288,7 @@ remove_iroutes_from_push_route_list (struct options *o) /* does route match an iroute? */ for (ir = o->iroutes; ir != NULL; ir = ir->next) { - if (network == ir->network && netmask == netbits_to_netmask (ir->netbits)) + if (network == ir->network && netmask == netbits_to_netmask (ir->netbits >= 0 ? ir->netbits : 32)) { copy = false; break; diff --git a/sample-config-files/loopback-client b/sample-config-files/loopback-client index 9db2877f0..549976372 100644 --- a/sample-config-files/loopback-client +++ b/sample-config-files/loopback-client @@ -17,7 +17,7 @@ dev null verb 3 reneg-sec 10 tls-client -ca sample-keys/tmp-ca.crt +ca sample-keys/ca.crt key sample-keys/client.key cert sample-keys/client.crt cipher DES-EDE3-CBC diff --git a/sample-config-files/loopback-server b/sample-config-files/loopback-server index 18bbbeb06..d9fe506e7 100644 --- a/sample-config-files/loopback-server +++ b/sample-config-files/loopback-server @@ -18,7 +18,7 @@ verb 3 reneg-sec 10 tls-server dh sample-keys/dh1024.pem -ca sample-keys/tmp-ca.crt +ca sample-keys/ca.crt key sample-keys/server.key cert sample-keys/server.crt cipher DES-EDE3-CBC diff --git a/sample-keys/README b/sample-keys/README index dd5c25ca6..1cd473a15 100644 --- a/sample-keys/README +++ b/sample-keys/README @@ -7,7 +7,7 @@ NOTE: THESE KEYS ARE FOR TESTING PURPOSES ONLY. DON'T USE THEM FOR ANY REAL WORK BECAUSE THEY ARE TOTALLY INSECURE! -tmp-ca.{crt,key} -- sample CA key/cert +ca.{crt,key} -- sample CA key/cert client.{crt,key} -- sample client key/cert server.{crt,key} -- sample server key/cert (nsCertType=server) pass.{crt,key} -- sample client key/cert with password-encrypted key diff --git a/sample-keys/tmp-ca.crt b/sample-keys/ca.crt similarity index 100% rename from sample-keys/tmp-ca.crt rename to sample-keys/ca.crt diff --git a/sample-keys/tmp-ca.key b/sample-keys/ca.key similarity index 100% rename from sample-keys/tmp-ca.key rename to sample-keys/ca.key