mirror of
https://github.com/OpenVPN/openvpn3.git
synced 2024-09-20 12:12:15 +02:00
a6b7cf458f
This patch builds on work by David Sommerseth <davids@openvpn.net> to move the PolarSSL API from polarssl-1.3 to mbedtls-2.3, which has significant differences in some areas. - Strings containing keys, certificates, CRLs, and DH parameters need to be NULL-terminated and the length argument provided to the corresponding mbedtls parse function must be able to read the NULL-terminator. These places have been modified with a '+1' to the length argument (x509cert.hpp, x509crl.hpp, dh.hpp, pkctx.hpp). - The SSL context object has been split up in mbedtls-2.3 Now many of the SSL configurations are done in a separate SSL config object, which is added to the SSL context once configured. In addition private/public keys are now stored in a separate pk_context, which is later on attached to the SSL context. Due to this, many of the calls setting either SSL configuration parameters or working with pk_contexts have been refactored. (sslctx.hpp) - The older API loading the CA chain took a hostname argument. The new API requires mbedtls_ssl_set_hostname() explicitly to be called setting hostname. Some refactoring was needed here too (sslctx.hpp). - x509_oid_get_description() is now replaced by mbedtls_oid_get_extended_key_usage(). - when mbedTLS renamed OID_CMP to MBEDTLS_OID_CMP, the return value was changed so that a return value of 0 now means equal rather than not-equal. - mbedtls/platform.h must be loaded before any other mbedtls include files (sslchoose.hpp). - All functions and macros related to mbedTLS are now prefixed with mbedtls_/MBEDTLS_ - Refactored External PKI and added some options to cli.cpp to make it easier to test that the feature still works correctly. This included removing the sig_type var and standardizing on a PKCS#1 digest prefix per RFC 3447. - Updated test keys to 2048 bits. - Updated dependency build scripts to build mbedTLS. - Enable MD4 in mbedTLS build script (needed for NTLM auth). - Use an allow-all X509 cert profile to preserve compatibility with older configs. Going forward, we will implement new options to increase strictness on minimum RSA key size and required cert signing algs. - Added human-readable reason strings that explain why a given cert in the chain wasn't accepted. - This patch doesn't rename any files or rename internal OpenVPN 3 symbols such as PolarSSLContext. This will be done in a separate commit. Signed-off-by: James Yonan <james@openvpn.net>
36 lines
2.1 KiB
Plaintext
36 lines
2.1 KiB
Plaintext
-----BEGIN CERTIFICATE-----
|
|
MIIGKDCCBBCgAwIBAgIJAKFO3vqQ8q6BMA0GCSqGSIb3DQEBCwUAMGYxCzAJBgNV
|
|
BAYTAktHMQswCQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEVMBMGA1UEChMM
|
|
T3BlblZQTi1URVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4w
|
|
HhcNMTQxMDIyMjE1OTUyWhcNMjQxMDE5MjE1OTUyWjBmMQswCQYDVQQGEwJLRzEL
|
|
MAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNVBAoTDE9wZW5WUE4t
|
|
VEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMIICIjANBgkq
|
|
hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsJVPCqt3vtoDW2U0DII1QIh2Qs0dqh88
|
|
8nivxAIm2LTq93e9fJhsq3P/UVYAYSeCIrekXypR0EQgSgcNTvGBMe20BoHO5yvb
|
|
GjKPmjfLj6XRotCOGy8EDl/hLgRY9efiA8wsVfuvF2q/FblyJQPR/gPiDtTmUiqF
|
|
qXa7AJmMrqFsnWppOuGd7Qc6aTsae4TF1e/gUTCTraa7NeHowDaKhdyFmEEnCYR5
|
|
CeUsx2JlFWAH8PCrxBpHYbmGyvS0kH3+rQkaSM/Pzc2bS4ayHaOYRK5XsGq8XiNG
|
|
KTTLnSaCdPeHsI+3xMHmEh+u5Og2DFGgvyD22gde6W2ezvEKCUDrzR7bsnYqqyUy
|
|
n7LxnkPXGyvR52T06G8KzLKQRmDlPIXhzKMO07qkHmIonXTdF7YI1azwHpAtN4dS
|
|
rUe1bvjiTSoEsQPfOAyvD0RMK/CBfgEZUzAB50e/IlbZ84c0DJfUMOm4xCyft1HF
|
|
YpYeyCf5dxoIjweCPOoP426+aTXM7kqq0ieIr6YxnKV6OGGLKEY+VNZh1DS7enqV
|
|
HP5i8eimyuUYPoQhbK9xtDGMgghnc6Hn8BldPMcvz98HdTEH4rBfA3yNuCxLSNow
|
|
4jJuLjNXh2QeiUtWtkXja7ec+P7VqKTduJoRaX7cs+8E3ImigiRnvmK+npk7Nt1y
|
|
YE9hBRhSoLsCAwEAAaOB2DCB1TAdBgNVHQ4EFgQUK0DlyX319JY46S/jL9lAZMmO
|
|
BZswgZgGA1UdIwSBkDCBjYAUK0DlyX319JY46S/jL9lAZMmOBZuhaqRoMGYxCzAJ
|
|
BgNVBAYTAktHMQswCQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEVMBMGA1UE
|
|
ChMMT3BlblZQTi1URVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21h
|
|
aW6CCQChTt76kPKugTAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG
|
|
9w0BAQsFAAOCAgEABc77f4C4P8fIS+V8qCJmVNSDU44UZBc+D+J6ZTgW8JeOHUIj
|
|
Bh++XDg3gwat7pIWQ8AU5R7h+fpBI9n3dadyIsMHGwSogHY9Gw7di2RVtSFajEth
|
|
rvrq0JbzpwoYedMh84sJ2qI/DGKW9/Is9+O52fR+3z3dY3gNRDPQ5675BQ5CQW9I
|
|
AJgLOqzD8Q0qrXYi7HaEqzNx6p7RDTuhFgvTd+vS5d5+28Z5fm2umnq+GKHF8W5P
|
|
ylp2Js119FTVO7brusAMKPe5emc7tC2ov8OFFemQvfHR41PLryap2VD81IOgmt/J
|
|
kX/j/y5KGux5HZ3lxXqdJbKcAq4NKYQT0mCkRD4l6szaCEJ+k0SiM9DdTcBDefhR
|
|
9q+pCOyMh7d8QjQ1075mF7T+PGkZQUW1DUjEfrZhICnKgq+iEoUmM0Ee5WtRqcnu
|
|
5BTGQ2mSfc6rV+Vr+eYXqcg7Nxb3vFXYSTod1UhefonVqwdmyJ2sC79zp36Tbo2+
|
|
65NW2WJK7KzPUyOJU0U9bcu0utvDOvGWmG+aHbymJgcoFzvZmlXqMXn97pSFn4jV
|
|
y3SLRgJXOw1QLXL2Y5abcuoBVr4gCOxxk2vBeVxOMRXNqSWZOFIF1bu/PxuDA+Sa
|
|
hEi44aHbPXt9opdssz/hdGfd8Wo7vEJrbg7c6zR6C/Akav1Rzy9oohIdgOw=
|
|
-----END CERTIFICATE-----
|