[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] PKCS #12 support in OpenVPN

  • Subject: Re: [Openvpn-users] PKCS #12 support in OpenVPN
  • From: Mathias Sundman <mathias@xxxxxxxxxx>
  • Date: Sat, 10 Jul 2004 07:02:52 +0200 (CEST)

On Fri, 9 Jul 2004, James Yonan wrote:

Does OpenSSL provide pkcs #12 support?  If it did, OpenVPN's init_ssl
function in ssl.c would be the place to patch to add the support.

I've done my homework now! No, OpenSSL does not nativly support loading a .p12 file from SSL_CTX_use_PrivateKey_file(). You need to first load it into a PKCS12 structure and parse it with PKCS12_parse(). Then you can hand it over to openssl with SSL_CTX_use_PrivateKey() and SSL_CTX_use_certificate().

Found some info regarding this on openssl mail-list:


It doesn't sound to hard. Is it something you would consider implementing
James, or does it have really low priority?

I'd like to see this implemented, though I'm fairly busy right now with finalizing 2.0. Feel free to send me a patch though.

Okay, I'll take a closer look. I think I'll implement it by:

1. Add an option --pkcs12 filename, which will be illegal to use in conjuction with ca, cert,key as all these should be included in the pkcs#12 file. We don't have to handle having some files in the pkcs#12 file, and some seperatly, do we?

2. As most of init_ssl (in ssl.c) need to modified I think it's easiest to sopy

init_ssl (bool server,
         const char *ca_file,
         const char *dh_file,
         const char *cert_file,
         const char *priv_key_file,
         const char *cipher_list)

into a new function:

init_ssl_pkcs12 (bool server,
                const char *dh_file,
                const char *pkcs12_file,
                const char *cipher_list)

and modify it to use a pkcs#12 insted. Do you agree, or you prefer to use an if bransch inside init_ssl?

I think this can solve our other problem with not beeing able to pass the passphrase for the private key from a gui client to openvpn. Today, as I've understood it, it's the openssl library itself that asks for the passphrase from stdin.

No, this is done by pem_password_callback in ssl.c (in OpenVPN).

I saw that after I had sent the mail. Using the PKCS method though, you supply the password as an option to PKCS12_parse() so I guess we'll have to handle it a little diffrent in this case.

Mathias Sundman                  (^)   ASCII Ribbon Campaign
NILINGS AB                        X    NO HTML/RTF in e-mail
Tel: +46-(0)8-666 32 28          / \   NO Word docs in e-mail