diff --git a/src/Cedar/Interop_OpenVPN.c b/src/Cedar/Interop_OpenVPN.c index e44a4e4d..3b344c97 100644 --- a/src/Cedar/Interop_OpenVPN.c +++ b/src/Cedar/Interop_OpenVPN.c @@ -797,13 +797,13 @@ void OvsSetupSessionParameters(OPENVPN_SERVER *s, OPENVPN_SESSION *se, OPENVPN_C OvsLog(s, se, c, "LO_CLIENT_CERT", "(unknown CN)"); } } - else if (!!c->ClientCert.PreverifyErr) + else if (!c->ClientCert.PreverifyErr) { - OvsLog(s, se, c, "LO_CLIENT_UNVERIFIED_CERT", c->ClientCert.PreverifyErrMessage); + OvsLog(s, se, c, "LO_CLIENT_NO_CERT"); } else { - OvsLog(s, se, c, "LO_CLIENT_NO_CERT"); + OvsLog(s, se, c, "LO_CLIENT_UNVERIFIED_CERT", c->ClientCert.PreverifyErrMessage); } Zero(opt_str, sizeof(opt_str)); diff --git a/src/Cedar/Protocol.c b/src/Cedar/Protocol.c index 2b821b0e..5421f897 100644 --- a/src/Cedar/Protocol.c +++ b/src/Cedar/Protocol.c @@ -2073,7 +2073,6 @@ bool ServerAccept(CONNECTION *c) { // Certificate authentication cert_size = PackGetDataSize(p, "cert"); - if (cert_size >= 1 && cert_size <= 100000) { cert_buf = ZeroMalloc(cert_size); diff --git a/src/Mayaqua/Network.c b/src/Mayaqua/Network.c index 5c683a46..befe5f7c 100644 --- a/src/Mayaqua/Network.c +++ b/src/Mayaqua/Network.c @@ -5822,7 +5822,6 @@ int SslCertVerifyCallback(int preverify_ok, X509_STORE_CTX *ctx) if (clientcert != NULL) { - clientcert->PreverifyOk = preverify_ok; clientcert->PreverifyErr = 0; clientcert->PreverifyErrMessage[0] = '\0'; if (!preverify_ok) @@ -5845,7 +5844,7 @@ int SslCertVerifyCallback(int preverify_ok, X509_STORE_CTX *ctx) } } - return 1; + return 1; /* allow the verification process to continue */ } // Create a new SSL pipe @@ -5880,7 +5879,8 @@ SSL_PIPE *NewSslPipeEx(bool server_mode, X *x, K *k, DH_CTX *dh, bool verify_pee SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_client_method()); } - if (verify_peer) { + if (verify_peer) + { SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, SslCertVerifyCallback); } diff --git a/src/Mayaqua/Network.h b/src/Mayaqua/Network.h index 5a5c1c2f..ccec80b1 100644 --- a/src/Mayaqua/Network.h +++ b/src/Mayaqua/Network.h @@ -1618,7 +1618,6 @@ void UnixWaitForTubes(TUBE **tubes, UINT num, UINT timeout); #define PREVERIFY_ERR_MESSAGE_SIZE 100 // Info on client certificate collected during TLS handshake struct SslClientCertInfo { - int PreverifyOk; int PreverifyErr; char PreverifyErrMessage[PREVERIFY_ERR_MESSAGE_SIZE]; X *X; diff --git a/src/bin/hamcore/strtable_tw.stb b/src/bin/hamcore/strtable_tw.stb index 2d7453e5..3ea1364b 100644 --- a/src/bin/hamcore/strtable_tw.stb +++ b/src/bin/hamcore/strtable_tw.stb @@ -1812,6 +1812,9 @@ LO_PREFIX_CHANNEL OpenVPN 會話%u (%r:%u -> %r:%u) 通道 %u: LO_NEW_CHANNEL 已創建一個新通道。 LO_CHANNEL_ESTABLISHED_NEWKEY 通道已建立。(觸發器: Re-key完成。) LO_OPTION_STR_RECV 接收到的選項字串:"%S" +LO_CLIENT_CERT Client certificate received (subject: CN="%s"), will use certificate authentication. +LO_CLIENT_UNVERIFIED_CERT Client certificate was provided but did not pass verification (error="%S"), will use password authentication. +LO_CLIENT_NO_CERT Client certificate is not provided, will use password authentication. LO_OPTION_STR_SEND 發送選項字串:"%S" LO_NEW_SESSION 已創建新的會話。協議:%S LO_INITIATE_REKEY re-keying 進程已開始。 @@ -1908,6 +1911,7 @@ LH_AUTH_PASSWORD 密碼驗證 LH_AUTH_PLAIN_PASSWORD 外部伺服器身份驗證 LH_AUTH_CERT 證書驗證 LH_AUTH_TICKET 票證驗證 +LH_AUTH_OPENVPN_CERT OpenVPN certificate authentication LH_AUTH_RADIUS_NOT_SUPPORT 連接 "%S": 用戶 "%S" 身份驗證方法 RADIUS 或 Active Directory (NT 域),但 VPN Server 是 "%S",因為 RADIUS 或 Active Directory (NT 域)不能使用。連接被拒絕。 LH_AUTH_RADIUS_NOT_SUPPORT_ON_OPEN_SOURCE "%S" 的連接方法: 用戶 "%S" 的身份驗證方法被指定為 RADIUS 身份驗證或 Active Directory 身份驗證 (NT 域驗證)。然而,這樣一個外部用戶身份驗證功能尚未在 SoftEther VPN 的開源版本上實施。該連接將被拒絕。 LH_AUTH_CERT_NOT_SUPPORT_ON_OPEN_SOURCE "%S" 的連接方法: 用戶 "%S" 的身份驗證方法被指定為證書認證。然而,證書驗證功能尚未在 SoftEther VPN 的開源版本上實施。該連接將被拒絕。