@@ -38,7 +38,6 @@ in the mbed TLS version of OpenVPN:
Plugin/Script features:
* X.509 subject line has a different format than the OpenSSL subject line
- * X.509 certificate export does not work
* X.509 certificate tracking
*************************************************************************
@@ -813,10 +813,6 @@ instances.
translations will be recorded rather than their names as denoted on the
command line or configuration file.
-:code:`peer_cert`
- Temporary file name containing the client certificate upon connection.
- Useful in conjunction with ``--tls-verify``.
-
:code:`script_context`
Set to "init" or "restart" prior to up/down script execution. For more
information, see documentation for ``--up``.
@@ -555,13 +555,6 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa
--tls-exit
Exit on TLS negotiation failure.
---tls-export-cert directory
- Store the certificates the clients use upon connection to this
- directory. This will be done before ``--tls-verify`` is called. The
- certificates will use a temporary name and will be deleted when the
- tls-verify script returns. The file name used for the certificate is
- available via the ``peer_cert`` environment variable.
-
--tls-server
Enable TLS and assume server role during TLS handshake. Note that
OpenVPN is designed as a peer-to-peer application. The designation of
@@ -3323,7 +3323,6 @@ do_init_crypto_tls(struct context *c, const unsigned int flags)
}
to.verify_command = options->tls_verify;
- to.verify_export_cert = options->tls_export_cert;
to.verify_x509_type = (options->verify_x509_type & 0xff);
to.verify_x509_name = options->verify_x509_name;
to.crl_file = options->crl_file;
@@ -638,9 +638,6 @@ static const char usage_message[] =
" tests of certification. cmd should return 0 to allow\n"
" TLS handshake to proceed, or 1 to fail. (cmd is\n"
" executed as 'cmd certificate_depth subject')\n"
- "--tls-export-cert [directory] : Get peer cert in PEM format and store it \n"
- " in an openvpn temporary file in [directory]. Peer cert is \n"
- " stored before tls-verify script execution and deleted after.\n"
"--verify-x509-name name: Accept connections only from a host with X509 subject\n"
" DN name. The remote host must also pass all other tests\n"
" of verification.\n"
@@ -1989,7 +1986,6 @@ show_settings(const struct options *o)
SHOW_STR(cipher_list_tls13);
SHOW_STR(tls_cert_profile);
SHOW_STR(tls_verify);
- SHOW_STR(tls_export_cert);
SHOW_INT(verify_x509_type);
SHOW_STR(verify_x509_name);
SHOW_STR_INLINE(crl_file);
@@ -3052,7 +3048,6 @@ options_postprocess_verify_ce(const struct options *options,
MUST_BE_UNDEF(cipher_list_tls13);
MUST_BE_UNDEF(tls_cert_profile);
MUST_BE_UNDEF(tls_verify);
- MUST_BE_UNDEF(tls_export_cert);
MUST_BE_UNDEF(verify_x509_name);
MUST_BE_UNDEF(tls_timeout);
MUST_BE_UNDEF(renegotiate_bytes);
@@ -4108,8 +4103,6 @@ options_postprocess_filechecks(struct options *options)
R_OK|W_OK, "--status");
/* ** Config related ** */
- errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tls_export_cert,
- R_OK|W_OK|X_OK, "--tls-export-cert");
errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->client_config_dir,
R_OK|X_OK, "--client-config-dir");
errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tmp_dir,
@@ -9005,13 +8998,6 @@ add_option(struct options *options,
string_substitute(p[1], ',', ' ', &options->gc),
"tls-verify", true);
}
-#ifndef ENABLE_CRYPTO_MBEDTLS
- else if (streq(p[0], "tls-export-cert") && p[1] && !p[2])
- {
- VERIFY_PERMISSION(OPT_P_GENERAL);
- options->tls_export_cert = p[1];
- }
-#endif
else if (streq(p[0], "compat-names"))
{
VERIFY_PERMISSION(OPT_P_GENERAL);
@@ -594,7 +594,6 @@ struct options
const char *tls_verify;
int verify_x509_type;
const char *verify_x509_name;
- const char *tls_export_cert;
const char *crl_file;
bool crl_file_inline;
@@ -334,7 +334,6 @@ struct tls_options
/* cert verification parms */
const char *verify_command;
- const char *verify_export_cert;
int verify_x509_type;
const char *verify_x509_name;
const char *crl_file;
@@ -490,81 +490,25 @@ verify_cert_call_plugin(const struct plugin_list *plugins, struct env_set *es,
return SUCCESS;
}
-static const char *
-verify_cert_export_cert(openvpn_x509_cert_t *peercert, const char *tmp_dir, struct gc_arena *gc)
-{
- FILE *peercert_file;
- const char *peercert_filename = "";
-
- /* create tmp file to store peer cert */
- if (!tmp_dir
- || !(peercert_filename = platform_create_temp_file(tmp_dir, "pcf", gc)))
- {
- msg(M_NONFATAL, "Failed to create peer cert file");
- return NULL;
- }
-
- /* write peer-cert in tmp-file */
- peercert_file = fopen(peercert_filename, "w+");
- if (!peercert_file)
- {
- msg(M_NONFATAL|M_ERRNO, "Failed to open temporary file: %s",
- peercert_filename);
- return NULL;
- }
-
- if (SUCCESS != x509_write_pem(peercert_file, peercert))
- {
- msg(M_NONFATAL, "Error writing PEM file containing certificate");
- (void) platform_unlink(peercert_filename);
- peercert_filename = NULL;
- }
-
- fclose(peercert_file);
- return peercert_filename;
-}
-
-
/*
* run --tls-verify script
*/
static result_t
verify_cert_call_command(const char *verify_command, struct env_set *es,
- int cert_depth, openvpn_x509_cert_t *cert, char *subject, const char *verify_export_cert)
+ int cert_depth, openvpn_x509_cert_t *cert, char *subject)
{
- const char *tmp_file = NULL;
int ret;
struct gc_arena gc = gc_new();
struct argv argv = argv_new();
setenv_str(es, "script_type", "tls-verify");
- if (verify_export_cert)
- {
- tmp_file = verify_cert_export_cert(cert, verify_export_cert, &gc);
- if (!tmp_file)
- {
- ret = false;
- goto cleanup;
- }
- setenv_str(es, "peer_cert", tmp_file);
- }
-
argv_parse_cmd(&argv, verify_command);
argv_printf_cat(&argv, "%d %s", cert_depth, subject);
argv_msg_prefix(D_TLS_DEBUG, &argv, "TLS: executing verify command");
ret = openvpn_run_script(&argv, es, 0, "--tls-verify script");
- if (verify_export_cert)
- {
- if (tmp_file)
- {
- platform_unlink(tmp_file);
- }
- }
-
-cleanup:
gc_free(&gc);
argv_free(&argv);
@@ -783,7 +727,7 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep
/* run --tls-verify script */
if (opt->verify_command && SUCCESS != verify_cert_call_command(opt->verify_command,
- opt->es, cert_depth, cert, subject, opt->verify_export_cert))
+ opt->es, cert_depth, cert, subject))
{
goto cleanup;
}