This option lets you specify the SHA256 fingerprint of a peer's self-signed
certificate. The peer's certificate, presented during connection bring-up,
is compared to the fingerprint. The connection fails if it doesn't
match.
So, this serves as an easy, yet secure, alternative to setting up a PKI,
but can also be used in conjunction with one to add one more check during
leaf certificate validation.
The option can also be given as inline block, for easier management for
multiple fingerprints:
<peer-fingerprint>
00:11:22:33:...:BB:CC:DD:FF
BB:CC:DD:FF:...:00:11:22:33
</peer-fingerprint>
Signed-off-by: Heiko Hund <heiko@openvpn.net>
If SEND_CLIENT_CA_LIST is enabled, we will call SSL_CTX_add_client_CA
for each CA specified in the config. This will direct OpenSSL to
transmit a list of client CA names to the client so it can choose
an appropriate client certificate.
Signed-off-by: James Yonan <james@openvpn.net>
On the server side, we add the abstract base class
SNIHandlerBase to provide a hook (sni_hello) where
servers can inspect the SNI name given in the client
hello message and possibly return a different SSLFactoryAPI.
In other changes, we rename the ENABLE_SNI flag to
ENABLE_CLIENT_SNI to be clear that this flag only affects
the client-side SNI implementation.
We also add the NO_VERIFY_HOSTNAME flag on the client side
to allow the SNI name to be transmitted to the server
without requiring a match between the SNI name and the
common name or subject alternative name in the server
certificate.
Signed-off-by: James Yonan <james@openvpn.net>
SSLConst::SERVER_TO_SERVER allows X509 certificates to be
used in a meshed toplology, where a server certificate can
be used for either the client or server side of an SSL
connection.
Currently only implemented for OpenSSL.
Signed-off-by: James Yonan <james@openvpn.net>
flag, to allow server-side SSL users to get information
about client certificate validation errors without
immediately terminating the connection. This allows
certificate errors to be handled at a higher level, such
as by messaging error info to the peer over the TLS control
channel.
* Renamed SSL method write_ciphertext_ready() to
read_cleartext_ready() for clarity.
* It's important that read_cleartext_ready() returns an accurate
status. To this end, add ssl_get_bytes_avail to the return
expression for PolarSSL:
return !ct_in.empty() || ssl_get_bytes_avail(ssl);
This will also consider buffering inside of PolarSSL,
and avoid potential deadlocks.
Other SSL modules (AppleCrypto and OpenSSL) have been
commented to warn of this issue.
* Factored out constants such as SHOULD_RETRY to namespace
SSLConst.
* Added flags var to SSL configs.
* Added new SSL flag LOG_VERIFY_STATUS. If disabled,
makes for a quiet SSL negotiation if no errors.
* Detect SSL partial writes and designate a new error status
code (SSL_PARTIAL_WRITE).
* In ProtoStackBase, detect unclassified errors from SSL layer
(throw unknown_status_from_ssl_layer).
* PolarSSL module now recognizes Close Notify status and returns
SSLConst::PEER_CLOSE_NOTIFY.
* In ProtoStackBase, factored out some error handling into
common method.
