[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] PKCS #12 support in OpenVPN

  • Subject: Re: [Openvpn-users] PKCS #12 support in OpenVPN
  • From: James Yonan <jim@xxxxxxxxx>
  • Date: Fri, 9 Jul 2004 19:30:37 -0500

On Friday 09 July 2004 17:58, Mathias Sundman wrote:
> On Fri, 9 Jul 2004, James Yonan wrote:
> > On Friday 09 July 2004 01:21, Mathias Sundman wrote:
> >> James, could you consider adding pkcs #12 support in OpenVPN in the
> >> future, or would that require to much work?
> >>
> >> It would simplify if you only had to specify one file containing your
> >> private key, your public key and the CA cert.
> >>
> >> I think especially about when using a GUI to create a config for you, it
> >> would be much easier for the user having to browse for only one file
> >> instead of three.
> >
> > Does OpenSSL provide pkcs #12 support?  If it did, OpenVPN's init_ssl
> > function in ssl.c would be the place to patch to add the support.
> I've done my homework now! No, OpenSSL does not nativly support loading a
> .p12 file from SSL_CTX_use_PrivateKey_file(). You need to first load it
> into a PKCS12 structure and parse it with PKCS12_parse(). Then you can
> hand it over to openssl with SSL_CTX_use_PrivateKey() and
> SSL_CTX_use_certificate().
> Found some info regarding this on openssl mail-list:
> http://marc.theaimsgroup.com/?l=openssl-users&m=104792075309084&w=2
> It doesn't sound to hard. Is it something you would consider implementing
> James, or does it have really low priority?

I'd like to see this implemented, though I'm fairly busy right now with 
finalizing 2.0.  Feel free to send me a patch though.

> I think this can solve our other problem with not beeing able to pass the
> passphrase for the private key from a gui client to openvpn. Today, as
> I've understood it, it's the openssl library itself that asks for the
> passphrase from stdin.

No, this is done by pem_password_callback in ssl.c (in OpenVPN).

> If we first load the private key from openvpn, we 
> should be able to supply the passphrase there, and add a cmd to pass this
> over our new management interface, right?

I think the way it would work is that pem_password_callback, instead of 
calling getpass(), would send an "auth credentials needed" asynchronous 
notification to the service manager over the management socket, and then 
block until the service manager replies.  The service manager would then, in 
turn, get this info from the GUI applet and pass it back to the OpenVPN 


Openvpn-users mailing list