On Fri, 9 Jul 2004, James Yonan wrote:
Does OpenSSL provide pkcs #12 support? If it did, OpenVPN's init_ssl function in ssl.c would be the place to patch to add the support.
1. Add an option --pkcs12 filename, which will be illegal to use in conjuction with ca, cert,key as all these should be included in the pkcs#12 file. We don't have to handle having some files in the pkcs#12 file, and some seperatly, do we?
2. As most of init_ssl (in ssl.c) need to modified I think it's easiest to sopy
init_ssl (bool server, const char *ca_file, const char *dh_file, const char *cert_file, const char *priv_key_file, const char *cipher_list)
into a new function:
init_ssl_pkcs12 (bool server, const char *dh_file, const char *pkcs12_file, const char *cipher_list)
and modify it to use a pkcs#12 insted. Do you agree, or you prefer to use an if bransch inside init_ssl?
I think this can solve our other problem with not beeing able to pass the passphrase for the private key from a gui client to openvpn. Today, as I've understood it, it's the openssl library itself that asks for the passphrase from stdin.
I saw that after I had sent the mail. Using the PKCS method though, you supply the password as an option to PKCS12_parse() so I guess we'll have to handle it a little diffrent in this case.
-- _____________________________________________________________ Mathias Sundman (^) ASCII Ribbon Campaign NILINGS AB X NO HTML/RTF in e-mail Tel: +46-(0)8-666 32 28 / \ NO Word docs in e-mail