mirror of
https://github.com/OpenVPN/openvpn3.git
synced 2024-09-20 12:12:15 +02:00
a6b7cf458f
This patch builds on work by David Sommerseth <davids@openvpn.net> to move the PolarSSL API from polarssl-1.3 to mbedtls-2.3, which has significant differences in some areas. - Strings containing keys, certificates, CRLs, and DH parameters need to be NULL-terminated and the length argument provided to the corresponding mbedtls parse function must be able to read the NULL-terminator. These places have been modified with a '+1' to the length argument (x509cert.hpp, x509crl.hpp, dh.hpp, pkctx.hpp). - The SSL context object has been split up in mbedtls-2.3 Now many of the SSL configurations are done in a separate SSL config object, which is added to the SSL context once configured. In addition private/public keys are now stored in a separate pk_context, which is later on attached to the SSL context. Due to this, many of the calls setting either SSL configuration parameters or working with pk_contexts have been refactored. (sslctx.hpp) - The older API loading the CA chain took a hostname argument. The new API requires mbedtls_ssl_set_hostname() explicitly to be called setting hostname. Some refactoring was needed here too (sslctx.hpp). - x509_oid_get_description() is now replaced by mbedtls_oid_get_extended_key_usage(). - when mbedTLS renamed OID_CMP to MBEDTLS_OID_CMP, the return value was changed so that a return value of 0 now means equal rather than not-equal. - mbedtls/platform.h must be loaded before any other mbedtls include files (sslchoose.hpp). - All functions and macros related to mbedTLS are now prefixed with mbedtls_/MBEDTLS_ - Refactored External PKI and added some options to cli.cpp to make it easier to test that the feature still works correctly. This included removing the sig_type var and standardizing on a PKCS#1 digest prefix per RFC 3447. - Updated test keys to 2048 bits. - Updated dependency build scripts to build mbedTLS. - Enable MD4 in mbedTLS build script (needed for NTLM auth). - Use an allow-all X509 cert profile to preserve compatibility with older configs. Going forward, we will implement new options to increase strictness on minimum RSA key size and required cert signing algs. - Added human-readable reason strings that explain why a given cert in the chain wasn't accepted. - This patch doesn't rename any files or rename internal OpenVPN 3 symbols such as PolarSSLContext. This will be done in a separate commit. Signed-off-by: James Yonan <james@openvpn.net>
9 lines
424 B
Plaintext
9 lines
424 B
Plaintext
-----BEGIN DH PARAMETERS-----
|
|
MIIBCAKCAQEArdnA32xujHPlPI+jPffHSoMUZ+b5gRz1H1Lw9//Gugm5TAsRiYrB
|
|
t2BDSsMKvAjyqN+i5SJv4TOk98kRRKB27iPvyXmiL945VaDQl/UehCySjYlGFUjW
|
|
9nuo+JwQxeSbw0TLiSYoYJZQ8X1CxPl9mgJl277O4cW1Gc8I/bWa+ipU/4K5wv3h
|
|
GI8nt+6A0jN3M/KebotMP101G4k0l0qsY4oRMTmP+z3oAP0qU9NZ1jiuMFVzRlNp
|
|
5FdYF7ctrH+tBF+QmyT4SRKSED4wE4oX6gp420NaBhIEQifIj75wlMDtxQlpkN+x
|
|
QkjsEbPlaPKHGQ4uupssChVUi8IM2yq5EwIBAg==
|
|
-----END DH PARAMETERS-----
|