1
0
mirror of https://github.com/SoftEtherVPN/SoftEtherVPN.git synced 2024-12-26 01:59:53 +03:00

Merge pull request #1522 from domosekai/tls

Implement complete server certificate verification
This commit is contained in:
Yihong Wu 2022-05-12 23:38:38 +08:00 committed by GitHub
commit ca996ed89a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
34 changed files with 1212 additions and 477 deletions

View File

@ -7350,6 +7350,7 @@ UINT StGetLink(ADMIN *a, RPC_CREATE_LINK *t)
Copy(&t->Policy, k->Policy, sizeof(POLICY));
t->CheckServerCert = k->CheckServerCert;
t->AddDefaultCA = k->AddDefaultCA;
t->ServerCert = CloneX(k->ServerCert);
}
Unlock(k->lock);
@ -7465,6 +7466,7 @@ UINT StSetLink(ADMIN *a, RPC_CREATE_LINK *t)
k->Option->RequireMonitorMode = false; // Disable monitor mode
k->CheckServerCert = t->CheckServerCert;
k->AddDefaultCA = t->AddDefaultCA;
k->ServerCert = CloneX(t->ServerCert);
}
Unlock(k->lock);
@ -7561,6 +7563,7 @@ UINT StCreateLink(ADMIN *a, RPC_CREATE_LINK *t)
// setting of verifying server certification
//
k->CheckServerCert = t->CheckServerCert;
k->AddDefaultCA = t->AddDefaultCA;
k->ServerCert = CloneX(t->ServerCert);
// stay this off-line
@ -13635,6 +13638,7 @@ void InRpcCreateLink(RPC_CREATE_LINK *t, PACK *p)
InRpcPolicy(&t->Policy, p);
t->CheckServerCert = PackGetBool(p, "CheckServerCert");
t->AddDefaultCA = PackGetBool(p, "AddDefaultCA");
b = PackGetBuf(p, "ServerCert");
if (b != NULL)
{
@ -13657,6 +13661,7 @@ void OutRpcCreateLink(PACK *p, RPC_CREATE_LINK *t)
OutRpcPolicy(p, &t->Policy);
PackAddBool(p, "CheckServerCert", t->CheckServerCert);
PackAddBool(p, "AddDefaultCA", t->AddDefaultCA);
if (t->ServerCert != NULL)
{
BUF *b;
@ -13702,12 +13707,14 @@ void InRpcEnumLink(RPC_ENUM_LINK *t, PACK *p)
PackGetUniStrEx(p, "AccountName", e->AccountName, sizeof(e->AccountName), i);
PackGetStrEx(p, "Hostname", e->Hostname, sizeof(e->Hostname), i);
PackGetStrEx(p, "ConnectedHubName", e->HubName, sizeof(e->HubName), i);
if (PackGetStrEx(p, "ConnectedHubName", e->HubName, sizeof(e->HubName), i) == false)
{
PackGetStrEx(p, "TargetHubName", e->HubName, sizeof(e->HubName), i);
}
e->Online = PackGetBoolEx(p, "Online", i);
e->ConnectedTime = PackGetInt64Ex(p, "ConnectedTime", i);
e->Connected = PackGetBoolEx(p, "Connected", i);
e->LastError = PackGetIntEx(p, "LastError", i);
PackGetStrEx(p, "LinkHubName", e->HubName, sizeof(e->HubName), i);
}
}
void OutRpcEnumLink(PACK *p, RPC_ENUM_LINK *t)

View File

@ -436,6 +436,7 @@ struct RPC_CREATE_LINK
CLIENT_AUTH *ClientAuth; // Client authentication data
POLICY Policy; // Policy
bool CheckServerCert; // Validate the server certificate
bool AddDefaultCA; // Use default trust store
X *ServerCert; // Server certificate
};

View File

@ -9,6 +9,7 @@
#include "Cedar.h"
#include "Command.h"
#include "Logging.h"
#include "Wpc.h"
#include "Mayaqua/Encrypt.h"
@ -19,6 +20,7 @@
#include "Mayaqua/Object.h"
#include "Mayaqua/Pack.h"
#include "Mayaqua/Str.h"
#include "Mayaqua/Table.h"
#include "Mayaqua/Tick64.h"
#include <stdlib.h>
@ -80,6 +82,9 @@ void AcWaitForRequest(AZURE_CLIENT *ac, SOCK *s, AZURE_PARAM *param)
{
SOCK *ns;
Debug("Connect Request from %r:%u\n", &client_ip, client_port);
char ipstr[128];
IPToStr(ipstr, sizeof(ipstr), &client_ip);
SLog(ac->Cedar, "LS_AZURE_START", ipstr, client_port);
// Create new socket and connect VPN Azure Server
if (ac->DDnsStatusCopy.InternetSetting.ProxyType == PROXY_DIRECT)
@ -103,7 +108,10 @@ void AcWaitForRequest(AZURE_CLIENT *ac, SOCK *s, AZURE_PARAM *param)
SetTimeout(ns, param->DataTimeout);
if (StartSSLEx(ns, NULL, NULL, 0, NULL))
UINT ssl_err = 0;
Copy(&ns->SslAcceptSettings, &ac->Cedar->SslAcceptSettings, sizeof(SSL_ACCEPT_SETTINGS));
if (StartSSLEx3(ns, NULL, NULL, NULL, 0, NULL, NULL, &ssl_err))
{
// Check certification
char server_cert_hash_str[MAX_SIZE];
@ -157,6 +165,13 @@ void AcWaitForRequest(AZURE_CLIENT *ac, SOCK *s, AZURE_PARAM *param)
}
}
}
else
{
if (ssl_err != 0)
{
SLog(ac->Cedar, "LS_AZURE_SSL_ERROR", GetUniErrorStr(ssl_err), ssl_err);
}
}
ReleaseSock(ns);
}

View File

@ -6022,6 +6022,7 @@ void CmExportAccount(HWND hWnd, wchar_t *account_name)
t.StartupAccount = a->Startup;
t.CheckServerCert = a->CheckServerCert;
t.RetryOnServerCert = a->RetryOnServerCert;
t.AddDefaultCA = a->AddDefaultCA;
t.ServerCert = a->ServerCert;
t.ClientOption->FromAdminPack = false;
@ -6161,6 +6162,7 @@ void CmImportAccountMainEx(HWND hWnd, wchar_t *filename, bool overwrite)
t->StartupAccount = get.StartupAccount;
t->CheckServerCert = get.CheckServerCert;
t->RetryOnServerCert = get.RetryOnServerCert;
t->AddDefaultCA = get.AddDefaultCA;
if (t->ServerCert != NULL)
{
FreeX(t->ServerCert);
@ -6270,6 +6272,7 @@ void CmCopyAccount(HWND hWnd, wchar_t *account_name)
}
c.CheckServerCert = a->CheckServerCert;
c.RetryOnServerCert = a->RetryOnServerCert;
c.AddDefaultCA = a->AddDefaultCA;
c.StartupAccount = false; // Don't copy the startup attribute
CALL(hWnd, CcCreateAccount(cm->Client, &c));
@ -6649,6 +6652,7 @@ void CmEditAccountDlgUpdate(HWND hWnd, CM_ACCOUNT *a)
// Host name
GetTxtA(hWnd, E_HOSTNAME, a->ClientOption->Hostname, sizeof(a->ClientOption->Hostname));
Trim(a->ClientOption->Hostname);
a->ClientOption->HintStr[0] = 0;
if (InStr(a->ClientOption->Hostname, "/tcp"))
{
@ -6685,9 +6689,13 @@ void CmEditAccountDlgUpdate(HWND hWnd, CM_ACCOUNT *a)
// To validate the server certificate
a->CheckServerCert = IsChecked(hWnd, R_CHECK_CERT);
// Trust default CA list
a->AddDefaultCA = IsChecked(hWnd, R_TRUST_DEFAULT);
if (a->NatMode)
{
Disable(hWnd, R_CHECK_CERT);
Disable(hWnd, R_TRUST_DEFAULT);
Disable(hWnd, B_TRUST);
}
@ -7030,6 +7038,7 @@ void CmEditAccountDlgUpdate(HWND hWnd, CM_ACCOUNT *a)
SetEnable(hWnd, S_STATIC7, false);
SetEnable(hWnd, S_STATIC11, false);
SetEnable(hWnd, R_CHECK_CERT, false);
SetEnable(hWnd, R_TRUST_DEFAULT, false);
SetEnable(hWnd, B_TRUST, false);
SetEnable(hWnd, B_SERVER_CERT, false);
SetEnable(hWnd, B_VIEW_SERVER_CERT, false);
@ -7091,10 +7100,17 @@ void CmEditAccountDlgInit(HWND hWnd, CM_ACCOUNT *a)
SetText(hWnd, E_ACCOUNT_NAME, a->ClientOption->AccountName);
// Host name
SetTextA(hWnd, E_HOSTNAME, a->ClientOption->Hostname);
StrCpy(a->old_server_name, sizeof(a->old_server_name), a->ClientOption->Hostname);
char hostname[MAX_SIZE];
StrCpy(hostname, sizeof(hostname), a->ClientOption->Hostname);
if (IsEmptyStr(a->ClientOption->HintStr) == false)
{
StrCat(hostname, sizeof(hostname), "/");
StrCat(hostname, sizeof(hostname), a->ClientOption->HintStr);
}
SetTextA(hWnd, E_HOSTNAME, hostname);
StrCpy(a->old_server_name, sizeof(a->old_server_name), hostname);
if (InStr(a->ClientOption->Hostname, "/tcp"))
if (InStr(hostname, "/tcp"))
{
Check(hWnd, R_DISABLE_NATT, true);
}
@ -7124,6 +7140,9 @@ void CmEditAccountDlgInit(HWND hWnd, CM_ACCOUNT *a)
// Verify the server certificate
Check(hWnd, R_CHECK_CERT, a->CheckServerCert);
// Trust default CA list
Check(hWnd, R_TRUST_DEFAULT, a->AddDefaultCA);
// LAN card list
if (a->NatMode == false && a->LinkMode == false)
{
@ -7356,6 +7375,7 @@ UINT CmEditAccountDlgProc(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam, voi
case R_HTTPS:
case R_SOCKS:
case R_CHECK_CERT:
case R_TRUST_DEFAULT:
case C_TYPE:
case E_USERNAME:
case E_PASSWORD:
@ -8762,6 +8782,7 @@ void CmEditAccountDlgOnOk(HWND hWnd, CM_ACCOUNT *a)
Copy(c.ClientOption, a->ClientOption, sizeof(CLIENT_OPTION));
c.ClientAuth = CopyClientAuth(a->ClientAuth);
c.CheckServerCert = a->CheckServerCert;
c.AddDefaultCA = a->AddDefaultCA;
if (a->ServerCert != NULL)
{
c.ServerCert = CloneX(a->ServerCert);
@ -8815,6 +8836,7 @@ void CmEditAccountDlgOnOk(HWND hWnd, CM_ACCOUNT *a)
Copy(t.ClientOption, a->ClientOption, sizeof(CLIENT_OPTION));
t.ClientAuth = CopyClientAuth(a->ClientAuth);
t.CheckServerCert = a->CheckServerCert;
t.AddDefaultCA = a->AddDefaultCA;
t.ServerCert = CloneX(a->ServerCert);
// Save the settings for cascade connection
@ -9007,6 +9029,7 @@ CM_ACCOUNT *CmGetExistAccountObject(HWND hWnd, wchar_t *account_name)
a->EditMode = true;
a->CheckServerCert = c.CheckServerCert;
a->RetryOnServerCert = c.RetryOnServerCert;
a->AddDefaultCA = c.AddDefaultCA;
a->Startup = c.StartupAccount;
if (c.ServerCert != NULL)
{
@ -9037,6 +9060,7 @@ CM_ACCOUNT *CmCreateNewAccountObject(HWND hWnd)
a->EditMode = false;
a->CheckServerCert = false;
a->RetryOnServerCert = false;
a->AddDefaultCA = false;
a->Startup = false;
a->ClientOption = ZeroMalloc(sizeof(CLIENT_OPTION));
@ -9552,7 +9576,11 @@ void CmPrintStatusToListViewEx(LVB *b, RPC_CLIENT_GET_CONNECTION_STATUS *s, bool
}
else
{
if (StrLen(s->CipherName) != 0)
if (StrLen(s->CipherName) != 0 && StrLen(s->ProtocolName) != 0)
{
UniFormat(tmp, sizeof(tmp), _UU("CM_ST_USE_ENCRYPT_TRUE3"), s->ProtocolName, s->CipherName);
}
else if (StrLen(s->CipherName) != 0)
{
UniFormat(tmp, sizeof(tmp), _UU("CM_ST_USE_ENCRYPT_TRUE"), s->CipherName);
}

View File

@ -140,6 +140,7 @@ typedef struct CM_ACCOUNT
bool Startup; // Startup account
bool CheckServerCert; // Check the server certificate
bool RetryOnServerCert; // Retry on invalid server certificate
bool AddDefaultCA; // Use default trust store
X *ServerCert; // Server certificate
char old_server_name[MAX_HOST_NAME_LEN + 1]; // Old server name
bool Inited; // Initialization flag

View File

@ -869,6 +869,10 @@
#define ERR_VPNGATE_INCLIENT_CANT_STOP 146 // Can not be stopped if operating within VPN Client mode
#define ERR_NOT_SUPPORTED_FUNCTION_ON_OPENSOURCE 147 // It is a feature that is not supported in the open source version
#define ERR_SUSPENDING 148 // System is suspending
#define ERR_HOSTNAME_MISMATCH 149 // SSL hostname mismatch
#define ERR_SSL_PROTOCOL_VERSION 150 // SSL version not supported
#define ERR_SSL_SHARED_CIPHER 151 // Can't find common cipher
#define ERR_SSL_HANDSHAKE 152 // Other SSL handshake error
////////////////////////////

View File

@ -1957,6 +1957,7 @@ RPC_CLIENT_CREATE_ACCOUNT *CiCfgToAccount(BUF *b)
t->StartupAccount = a->StartupAccount;
t->CheckServerCert = a->CheckServerCert;
t->RetryOnServerCert = a->RetryOnServerCert;
t->AddDefaultCA = a->AddDefaultCA;
t->ServerCert = a->ServerCert;
Free(a);
@ -1981,6 +1982,7 @@ BUF *CiAccountToCfg(RPC_CLIENT_CREATE_ACCOUNT *t)
a.ClientAuth = t->ClientAuth;
a.CheckServerCert = t->CheckServerCert;
a.RetryOnServerCert = t->RetryOnServerCert;
a.AddDefaultCA = t->AddDefaultCA;
a.ServerCert = t->ServerCert;
a.StartupAccount = t->StartupAccount;
@ -4315,6 +4317,13 @@ void InRpcClientOption(CLIENT_OPTION *c, PACK *p)
PackGetUniStr(p, "AccountName", c->AccountName, sizeof(c->AccountName));
PackGetStr(p, "Hostname", c->Hostname, sizeof(c->Hostname));
// Extract hint string from hostname
UINT i = SearchStrEx(c->Hostname, "/", 0, false);
if (i != INFINITE)
{
StrCpy(c->HintStr, sizeof(c->HintStr), c->Hostname + i + 1);
c->Hostname[i] = 0;
}
c->Port = PackGetInt(p, "Port");
c->PortUDP = PackGetInt(p, "PortUDP");
c->ProxyType = PackGetInt(p, "ProxyType");
@ -4352,7 +4361,20 @@ void OutRpcClientOption(PACK *p, CLIENT_OPTION *c)
}
PackAddUniStr(p, "AccountName", c->AccountName);
PackAddStr(p, "Hostname", c->Hostname);
// Append hint string to hostname
if (IsEmptyStr(c->HintStr))
{
// No hint
PackAddStr(p, "Hostname", c->Hostname);
}
else
{
char hostname[MAX_SIZE];
StrCpy(hostname, sizeof(hostname), c->Hostname);
StrCat(hostname, sizeof(hostname), "/");
StrCat(hostname, sizeof(hostname), c->HintStr);
PackAddStr(p, "Hostname", hostname);
}
PackAddStr(p, "ProxyName", c->ProxyName);
PackAddStr(p, "ProxyUsername", c->ProxyUsername);
PackAddStr(p, "ProxyPassword", c->ProxyPassword);
@ -4522,6 +4544,7 @@ void InRpcClientCreateAccount(RPC_CLIENT_CREATE_ACCOUNT *c, PACK *p)
c->StartupAccount = PackGetInt(p, "StartupAccount") ? true : false;
c->CheckServerCert = PackGetInt(p, "CheckServerCert") ? true : false;
c->RetryOnServerCert = PackGetInt(p, "RetryOnServerCert") ? true : false;
c->AddDefaultCA = PackGetInt(p, "AddDefaultCA") ? true : false;
b = PackGetBuf(p, "ServerCert");
if (b != NULL)
{
@ -4545,6 +4568,7 @@ void OutRpcClientCreateAccount(PACK *p, RPC_CLIENT_CREATE_ACCOUNT *c)
PackAddInt(p, "StartupAccount", c->StartupAccount);
PackAddInt(p, "CheckServerCert", c->CheckServerCert);
PackAddInt(p, "RetryOnServerCert", c->RetryOnServerCert);
PackAddInt(p, "AddDefaultCA", c->AddDefaultCA);
if (c->ServerCert != NULL)
{
b = XToBuf(c->ServerCert, false);
@ -4695,6 +4719,7 @@ void InRpcClientGetAccount(RPC_CLIENT_GET_ACCOUNT *c, PACK *p)
c->StartupAccount = PackGetInt(p, "StartupAccount") ? true : false;
c->CheckServerCert = PackGetInt(p, "CheckServerCert") ? true : false;
c->RetryOnServerCert = PackGetInt(p, "RetryOnServerCert") ? true : false;
c->AddDefaultCA = PackGetInt(p, "AddDefaultCA") ? true : false;
b = PackGetBuf(p, "ServerCert");
if (b != NULL)
{
@ -4724,6 +4749,7 @@ void OutRpcClientGetAccount(PACK *p, RPC_CLIENT_GET_ACCOUNT *c)
PackAddInt(p, "StartupAccount", c->StartupAccount);
PackAddInt(p, "CheckServerCert", c->CheckServerCert);
PackAddInt(p, "RetryOnServerCert", c->RetryOnServerCert);
PackAddInt(p, "AddDefaultCA", c->AddDefaultCA);
if (c->ServerCert != NULL)
{
@ -4810,6 +4836,7 @@ void InRpcClientGetConnectionStatus(RPC_CLIENT_GET_CONNECTION_STATUS *s, PACK *p
PackGetStr(p, "ServerName", s->ServerName, sizeof(s->ServerName));
PackGetStr(p, "ServerProductName", s->ServerProductName, sizeof(s->ServerProductName));
PackGetStr(p, "ProtocolVersion", s->ProtocolName, sizeof(s->ProtocolName));
PackGetStr(p, "CipherName", s->CipherName, sizeof(s->CipherName));
PackGetStr(p, "SessionName", s->SessionName, sizeof(s->SessionName));
PackGetStr(p, "ConnectionName", s->ConnectionName, sizeof(s->ConnectionName));
@ -4886,6 +4913,7 @@ void OutRpcClientGetConnectionStatus(PACK *p, RPC_CLIENT_GET_CONNECTION_STATUS *
PackAddStr(p, "ServerName", c->ServerName);
PackAddStr(p, "ServerProductName", c->ServerProductName);
PackAddStr(p, "ProtocolVersion", c->ProtocolName);
PackAddStr(p, "CipherName", c->CipherName);
PackAddStr(p, "SessionName", c->SessionName);
PackAddStr(p, "ConnectionName", c->ConnectionName);
@ -5840,6 +5868,7 @@ void CiGetSessionStatus(RPC_CLIENT_GET_CONNECTION_STATUS *st, SESSION *s)
if (st->UseEncrypt)
{
StrCpy(st->CipherName, sizeof(st->CipherName), s->Connection->CipherName);
StrCpy(st->ProtocolName, sizeof(st->ProtocolName), s->Connection->SslVersion);
}
// Use of compression
st->UseCompress = s->UseCompress;
@ -6449,9 +6478,9 @@ bool CtConnect(CLIENT *c, RPC_CLIENT_CONNECT *connect)
// Register a procedure for secure device authentication
r->ClientAuth->SecureSignProc = CiSecureSignProc;
}
else if (r->ClientAuth->AuthType == CLIENT_AUTHTYPE_OPENSSLENGINE)
else if (r->ClientAuth->AuthType == CLIENT_AUTHTYPE_OPENSSLENGINE)
{
/* r->ClientAuth->ClientK = OpensslEngineToK("asdf"); */
/* r->ClientAuth->ClientK = OpensslEngineToK("asdf"); */
r->ClientAuth->SecureSignProc = NULL;
}
else
@ -6599,6 +6628,9 @@ bool CtGetAccount(CLIENT *c, RPC_CLIENT_GET_ACCOUNT *a)
Lock(r->lock);
{
// Copy account name (restore the correct case)
UniStrCpy(a->AccountName, sizeof(a->AccountName), r->ClientOption->AccountName);
// Copy the client option
if (a->ClientOption != NULL)
{
@ -6618,6 +6650,7 @@ bool CtGetAccount(CLIENT *c, RPC_CLIENT_GET_ACCOUNT *a)
a->CheckServerCert = r->CheckServerCert;
a->RetryOnServerCert = r->RetryOnServerCert;
a->AddDefaultCA = r->AddDefaultCA;
a->ServerCert = NULL;
if (r->ServerCert != NULL)
{
@ -7029,6 +7062,12 @@ bool CtEnumAccount(CLIENT *c, RPC_CLIENT_ENUM_ACCOUNT *e)
// Server name
StrCpy(item->ServerName, sizeof(item->ServerName), a->ClientOption->Hostname);
// Append hint string to hostname
if (IsEmptyStr(a->ClientOption->HintStr) == false)
{
StrCat(item->ServerName, sizeof(item->ServerName), "/");
StrCat(item->ServerName, sizeof(item->ServerName), a->ClientOption->HintStr);
}
// Proxy type
item->ProxyType = a->ClientOption->ProxyType;
@ -7146,6 +7185,7 @@ bool CtSetAccount(CLIENT *c, RPC_CLIENT_CREATE_ACCOUNT *a, bool inner)
ret->CheckServerCert = a->CheckServerCert;
ret->RetryOnServerCert = a->RetryOnServerCert;
ret->AddDefaultCA = a->AddDefaultCA;
if (a->ServerCert != NULL)
{
@ -7245,6 +7285,7 @@ bool CtCreateAccount(CLIENT *c, RPC_CLIENT_CREATE_ACCOUNT *a, bool inner)
new_account->CheckServerCert = a->CheckServerCert;
new_account->RetryOnServerCert = a->RetryOnServerCert;
new_account->AddDefaultCA = a->AddDefaultCA;
if (a->ServerCert != NULL)
{
new_account->ServerCert = CloneX(a->ServerCert);
@ -9221,6 +9262,13 @@ CLIENT_OPTION *CiLoadClientOption(FOLDER *f)
CfgGetUniStr(f, "AccountName", o->AccountName, sizeof(o->AccountName));
CfgGetStr(f, "Hostname", o->Hostname, sizeof(o->Hostname));
// Extract hint string from hostname
UINT i = SearchStrEx(o->Hostname, "/", 0, false);
if (i != INFINITE)
{
StrCpy(o->HintStr, sizeof(o->HintStr), o->Hostname + i + 1);
o->Hostname[i] = 0;
}
o->Port = CfgGetInt(f, "Port");
o->PortUDP = CfgGetInt(f, "PortUDP");
o->ProxyType = CfgGetInt(f, "ProxyType");
@ -9302,6 +9350,7 @@ ACCOUNT *CiLoadClientAccount(FOLDER *f)
a->StartupAccount = CfgGetBool(f, "StartupAccount");
a->CheckServerCert = CfgGetBool(f, "CheckServerCert");
a->RetryOnServerCert = CfgGetBool(f, "RetryOnServerCert");
a->AddDefaultCA = CfgGetBool(f, "AddDefaultCA");
a->CreateDateTime = CfgGetInt64(f, "CreateDateTime");
a->UpdateDateTime = CfgGetInt64(f, "UpdateDateTime");
a->LastConnectDateTime = CfgGetInt64(f, "LastConnectDateTime");
@ -9763,7 +9812,20 @@ void CiWriteClientOption(FOLDER *f, CLIENT_OPTION *o)
}
CfgAddUniStr(f, "AccountName", o->AccountName);
CfgAddStr(f, "Hostname", o->Hostname);
// Append hint string to hostname
if (IsEmptyStr(o->HintStr))
{
// No hint
CfgAddStr(f, "Hostname", o->Hostname);
}
else
{
char hostname[MAX_SIZE];
StrCpy(hostname, sizeof(hostname), o->Hostname);
StrCat(hostname, sizeof(hostname), "/");
StrCat(hostname, sizeof(hostname), o->HintStr);
CfgAddStr(f, "Hostname", hostname);
}
CfgAddInt(f, "Port", o->Port);
CfgAddInt(f, "PortUDP", o->PortUDP);
CfgAddInt(f, "ProxyType", o->ProxyType);
@ -9927,6 +9989,9 @@ void CiWriteAccountData(FOLDER *f, ACCOUNT *a)
// Retry on invalid server certificate flag
CfgAddBool(f, "RetryOnServerCert", a->RetryOnServerCert);
// Add default SSL trust store
CfgAddBool(f, "AddDefaultCA", a->AddDefaultCA);
// Date and time
CfgAddInt64(f, "CreateDateTime", a->CreateDateTime);
CfgAddInt64(f, "UpdateDateTime", a->UpdateDateTime);

View File

@ -61,6 +61,7 @@ struct ACCOUNT
CLIENT_AUTH *ClientAuth; // Client authentication data
bool CheckServerCert; // Check the server certificate
bool RetryOnServerCert; // Retry on invalid server certificate
bool AddDefaultCA; // Use default trust store
X *ServerCert; // Server certificate
bool StartupAccount; // Start-up account
UCHAR ShortcutKey[SHA1_SIZE]; // Key
@ -239,6 +240,7 @@ struct RPC_CLIENT_CREATE_ACCOUNT
bool StartupAccount; // Startup account
bool CheckServerCert; // Checking of the server certificate
bool RetryOnServerCert; // Retry on invalid server certificate
bool AddDefaultCA; // Use default trust store
X *ServerCert; // Server certificate
UCHAR ShortcutKey[SHA1_SIZE]; // Shortcut Key
};
@ -292,6 +294,7 @@ struct RPC_CLIENT_GET_ACCOUNT
bool StartupAccount; // Startup account
bool CheckServerCert; // Check the server certificate
bool RetryOnServerCert; // Retry on invalid server certificate
bool AddDefaultCA; // Use default trust store
X *ServerCert; // Server certificate
UCHAR ShortcutKey[SHA1_SIZE]; // Shortcut Key
UINT64 CreateDateTime; // Creation date and time (Ver 3.0 or later)

View File

@ -3109,6 +3109,8 @@ void PcMain(PC *pc)
{"AccountServerCertDisable", PcAccountServerCertDisable},
{"AccountRetryOnServerCertEnable", PcAccountRetryOnServerCertEnable},
{"AccountRetryOnServerCertDisable", PcAccountRetryOnServerCertDisable},
{"AccountDefaultCAEnable", PcAccountDefaultCAEnable},
{"AccountDefaultCADisable", PcAccountDefaultCADisable},
{"AccountServerCertSet", PcAccountServerCertSet},
{"AccountServerCertDelete", PcAccountServerCertDelete},
{"AccountServerCertGet", PcAccountServerCertGet},
@ -4293,6 +4295,26 @@ UINT PcAccountCreate(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
return ret;
}
// Setup a RPC_CLIENT_CREATE_ACCOUNT from a RPC_CLIENT_GET_ACCOUNT
void SetRpcClientCreateAccountFromGetAccount(RPC_CLIENT_CREATE_ACCOUNT *c, RPC_CLIENT_GET_ACCOUNT *t)
{
if (c == NULL || t == NULL)
{
return;
}
Zero(c, sizeof(RPC_CLIENT_CREATE_ACCOUNT));
// Copy reference
c->ClientAuth = t->ClientAuth;
c->ClientOption = t->ClientOption;
c->CheckServerCert = t->CheckServerCert;
c->RetryOnServerCert = t->RetryOnServerCert;
c->AddDefaultCA = t->AddDefaultCA;
c->ServerCert = t->ServerCert;
c->StartupAccount = t->StartupAccount;
}
// Set the destination of the connection settings
UINT PcAccountSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
{
@ -4333,16 +4355,10 @@ UINT PcAccountSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
// Success
t.ClientOption->Port = port;
StrCpy(t.ClientOption->Hostname, sizeof(t.ClientOption->Hostname), host);
t.ClientOption->HintStr[0] = 0;
StrCpy(t.ClientOption->HubName, sizeof(t.ClientOption->HubName), GetParamStr(o, "HUB"));
Zero(&c, sizeof(c));
c.ClientAuth = t.ClientAuth;
c.ClientOption = t.ClientOption;
c.CheckServerCert = t.CheckServerCert;
c.RetryOnServerCert = t.RetryOnServerCert;
c.ServerCert = t.ServerCert;
c.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&c, &t);
ret = CcSetAccount(pc->RemoteClient, &c);
}
@ -4400,7 +4416,18 @@ UINT PcAccountGet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
CtInsert(ct, _UU("CMD_ACCOUNT_COLUMN_NAME"), t.ClientOption->AccountName);
// Host name of the destination VPN Server
StrToUni(tmp, sizeof(tmp), t.ClientOption->Hostname);
if (IsEmptyStr(t.ClientOption->HintStr))
{
StrToUni(tmp, sizeof(tmp), t.ClientOption->Hostname);
}
else
{
char hostname[MAX_SIZE];
StrCpy(hostname, sizeof(hostname), t.ClientOption->Hostname);
StrCat(hostname, sizeof(hostname), "/");
StrCat(hostname, sizeof(hostname), t.ClientOption->HintStr);
StrToUni(tmp, sizeof(tmp), hostname);
}
CtInsert(ct, _UU("CMD_ACCOUNT_COLUMN_HOSTNAME"), tmp);
// The port number to connect to VPN Server
@ -4444,6 +4471,8 @@ UINT PcAccountGet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
{
CtInsert(ct, _UU("CMD_ACCOUNT_COLUMN_RETRY_ON_SERVER_CERT"),
t.RetryOnServerCert ? _UU("CMD_MSG_ENABLE") : _UU("CMD_MSG_DISABLE"));
CtInsert(ct, _UU("CMD_ACCOUNT_COLUMN_ADD_DEFAULT_CA"),
t.AddDefaultCA ? _UU("CMD_MSG_ENABLE") : _UU("CMD_MSG_DISABLE"));
}
// Device name to be used for the connection
@ -4618,13 +4647,7 @@ UINT PcAccountUsernameSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
c->Write(c, _UU("CMD_AccountUsername_Notice"));
}
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -4676,13 +4699,7 @@ UINT PcAccountAnonymousSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param
// Change the settings
t.ClientAuth->AuthType = CLIENT_AUTHTYPE_ANONYMOUS;
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -4758,13 +4775,7 @@ UINT PcAccountPasswordSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
if (ret == ERR_NO_ERROR)
{
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -4837,13 +4848,7 @@ UINT PcAccountCertSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
t.ClientAuth->ClientX = CloneX(x);
t.ClientAuth->ClientK = CloneK(k);
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -4958,13 +4963,7 @@ UINT PcAccountEncryptDisable(CONSOLE *c, char *cmd_name, wchar_t *str, void *par
// Change the settings
t.ClientOption->UseEncrypt = false;
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -5016,13 +5015,7 @@ UINT PcAccountEncryptEnable(CONSOLE *c, char *cmd_name, wchar_t *str, void *para
// Change the settings
t.ClientOption->UseEncrypt = true;
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -5074,13 +5067,7 @@ UINT PcAccountCompressEnable(CONSOLE *c, char *cmd_name, wchar_t *str, void *par
// Change the settings
t.ClientOption->UseCompress = true;
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -5132,13 +5119,7 @@ UINT PcAccountCompressDisable(CONSOLE *c, char *cmd_name, wchar_t *str, void *pa
// Change the settings
t.ClientOption->UseCompress = false;
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -5213,13 +5194,7 @@ UINT PcAccountHttpHeaderAdd(CONSOLE *c, char *cmd_name, wchar_t *str, void *para
if ((StrLen(s) + StrLen(t.ClientOption->CustomHttpHeader)) < sizeof(t.ClientOption->CustomHttpHeader)) {
StrCat(t.ClientOption->CustomHttpHeader, sizeof(s), s);
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -5284,13 +5259,7 @@ UINT PcAccountHttpHeaderDelete(CONSOLE *c, char *cmd_name, wchar_t *str, void *p
RPC_CLIENT_CREATE_ACCOUNT z;
char *value = GetParamStr(o, "NAME");
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
Zero(z.ClientOption->CustomHttpHeader, sizeof(z.ClientOption->CustomHttpHeader));
@ -5410,13 +5379,7 @@ UINT PcAccountProxyNone(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
// Change the settings
t.ClientOption->ProxyType = PROXY_DIRECT;
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -5482,13 +5445,7 @@ UINT PcAccountProxyHttp(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
Free(host);
}
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -5554,13 +5511,7 @@ UINT PcAccountProxySocks(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
Free(host);
}
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -5626,13 +5577,7 @@ UINT PcAccountProxySocks5(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
Free(host);
}
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -5684,13 +5629,7 @@ UINT PcAccountServerCertEnable(CONSOLE *c, char *cmd_name, wchar_t *str, void *p
// Change the settings
t.CheckServerCert = true;
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -5742,13 +5681,7 @@ UINT PcAccountServerCertDisable(CONSOLE *c, char *cmd_name, wchar_t *str, void *
// Change the settings
t.CheckServerCert = false;
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -5800,13 +5733,7 @@ UINT PcAccountRetryOnServerCertEnable(CONSOLE *c, char *cmd_name, wchar_t *str,
// Change the settings
t.RetryOnServerCert = true;
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -5858,13 +5785,111 @@ UINT PcAccountRetryOnServerCertDisable(CONSOLE *c, char *cmd_name, wchar_t *str,
// Change the settings
t.RetryOnServerCert = false;
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
if (ret != ERR_NO_ERROR)
{
// Error has occurred
CmdPrintError(c, ret);
}
CiFreeClientGetAccount(&t);
// Release of the parameter list
FreeParamValueList(o);
return ret;
}
// Enable trusting default CA list
UINT PcAccountDefaultCAEnable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
{
LIST *o;
PC *pc = (PC *)param;
UINT ret = ERR_NO_ERROR;
RPC_CLIENT_GET_ACCOUNT t;
// Parameter list that can be specified
PARAM args[] =
{
{"[name]", CmdPrompt, _UU("CMD_AccountCreate_Prompt_Name"), CmdEvalNotEmpty, NULL},
};
// Get the parameter list
o = ParseCommandList(c, cmd_name, str, args, sizeof(args) / sizeof(args[0]));
if (o == NULL)
{
return ERR_INVALID_PARAMETER;
}
// RPC call
Zero(&t, sizeof(t));
UniStrCpy(t.AccountName, sizeof(t.AccountName), GetParamUniStr(o, "[name]"));
ret = CcGetAccount(pc->RemoteClient, &t);
if (ret == ERR_NO_ERROR)
{
RPC_CLIENT_CREATE_ACCOUNT z;
// Change the settings
t.AddDefaultCA = true;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
if (ret != ERR_NO_ERROR)
{
// Error has occurred
CmdPrintError(c, ret);
}
CiFreeClientGetAccount(&t);
// Release of the parameter list
FreeParamValueList(o);
return ret;
}
// Disable trusting default CA list
UINT PcAccountDefaultCADisable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
{
LIST *o;
PC *pc = (PC *)param;
UINT ret = ERR_NO_ERROR;
RPC_CLIENT_GET_ACCOUNT t;
// Parameter list that can be specified
PARAM args[] =
{
{"[name]", CmdPrompt, _UU("CMD_AccountCreate_Prompt_Name"), CmdEvalNotEmpty, NULL},
};
// Get the parameter list
o = ParseCommandList(c, cmd_name, str, args, sizeof(args) / sizeof(args[0]));
if (o == NULL)
{
return ERR_INVALID_PARAMETER;
}
// RPC call
Zero(&t, sizeof(t));
UniStrCpy(t.AccountName, sizeof(t.AccountName), GetParamUniStr(o, "[name]"));
ret = CcGetAccount(pc->RemoteClient, &t);
if (ret == ERR_NO_ERROR)
{
RPC_CLIENT_CREATE_ACCOUNT z;
// Change the settings
t.AddDefaultCA = false;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -5930,13 +5955,7 @@ UINT PcAccountServerCertSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *para
}
t.ServerCert = CloneX(x);
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -5994,13 +6013,7 @@ UINT PcAccountServerCertDelete(CONSOLE *c, char *cmd_name, wchar_t *str, void *p
}
t.ServerCert = NULL;
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -6049,23 +6062,20 @@ UINT PcAccountServerCertGet(CONSOLE *c, char *cmd_name, wchar_t *str, void *para
if (ret == ERR_NO_ERROR)
{
RPC_CLIENT_CREATE_ACCOUNT z;
// Change the settings
if (t.ServerCert != NULL)
// Save the certificate
if (t.ServerCert == NULL)
{
FreeX(t.ServerCert);
c->Write(c, _UU("CMD_CERT_NOT_EXISTS"));
ret = ERR_INTERNAL_ERROR;
}
else
{
if (XToFileW(t.ServerCert, GetParamUniStr(o, "SAVECERT"), true) == false)
{
c->Write(c, _UU("CMD_SAVECERT_FAILED"));
ret = ERR_INTERNAL_ERROR;
}
}
t.ServerCert = NULL;
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
ret = CcSetAccount(pc->RemoteClient, &z);
}
if (ret != ERR_NO_ERROR)
@ -6140,12 +6150,7 @@ UINT PcAccountDetailSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
t.ClientOption->DisableQoS = GetParamYes(o, "NOQOS");
t.ClientOption->NoUdpAcceleration = GetParamYes(o, "DISABLEUDP");
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -6388,14 +6393,7 @@ UINT PcAccountNicSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
StrCpy(t.ClientOption->DeviceName, sizeof(t.ClientOption->DeviceName),
GetParamStr(o, "NICNAME"));
Zero(&c, sizeof(c));
c.ClientAuth = t.ClientAuth;
c.ClientOption = t.ClientOption;
c.CheckServerCert = t.CheckServerCert;
c.RetryOnServerCert = t.RetryOnServerCert;
c.ServerCert = t.ServerCert;
c.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&c, &t);
ret = CcSetAccount(pc->RemoteClient, &c);
}
@ -6447,13 +6445,7 @@ UINT PcAccountStatusShow(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
// Change the settings
t.ClientOption->HideStatusWindow = false;
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -6505,13 +6497,7 @@ UINT PcAccountStatusHide(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
// Change the settings
t.ClientOption->HideStatusWindow = true;
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -6569,13 +6555,7 @@ UINT PcAccountSecureCertSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *para
StrCpy(t.ClientAuth->SecurePrivateKeyName, sizeof(t.ClientAuth->SecurePrivateKeyName),
GetParamStr(o, "KEYNAME"));
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -6627,24 +6607,19 @@ UINT PcAccountOpensslEngineCertSet(CONSOLE *c, char *cmd_name, wchar_t *str, voi
{
RPC_CLIENT_CREATE_ACCOUNT z;
t.ClientAuth->AuthType = CLIENT_AUTHTYPE_OPENSSLENGINE;
X *x;
x = FileToXW(GetParamUniStr(o, "LOADCERT"));
if (x == NULL)
{
X *x;
x = FileToXW(GetParamUniStr(o, "LOADCERT"));
if (x == NULL)
{
c->Write(c, _UU("CMD_LOADCERT_FAILED"));
}
}
StrCpy(t.ClientAuth->OpensslEnginePrivateKeyName, sizeof(t.ClientAuth->OpensslEnginePrivateKeyName),
GetParamStr(o, "KEYNAME"));
StrCpy(t.ClientAuth->OpensslEngineName, sizeof(t.ClientAuth->OpensslEngineName),
GetParamStr(o, "ENGINENAME"));
t.ClientAuth->ClientX = CloneX(x);
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -6709,13 +6684,7 @@ UINT PcAccountRetrySet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
t.ClientOption->NumRetry = (num == 999) ? INFINITE : num;
t.ClientOption->RetryInterval = interval;
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -6768,13 +6737,7 @@ UINT PcAccountStartupSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
// Change the settings
t.StartupAccount = true;
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -6826,13 +6789,7 @@ UINT PcAccountStartupRemove(CONSOLE *c, char *cmd_name, wchar_t *str, void *para
// Change the settings
t.StartupAccount = false;
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -6889,12 +6846,7 @@ UINT PcAccountExport(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
UINT buf_size;
UCHAR bom[] = {0xef, 0xbb, 0xbf, };
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
b = CiAccountToCfg(&z);
@ -7698,6 +7650,8 @@ void PsMain(PS *ps)
{"CascadeProxySocks5", PsCascadeProxySocks5},
{"CascadeServerCertEnable", PsCascadeServerCertEnable},
{"CascadeServerCertDisable", PsCascadeServerCertDisable},
{"CascadeDefaultCAEnable", PsCascadeDefaultCAEnable},
{"CascadeDefaultCADisable", PsCascadeDefaultCADisable},
{"CascadeServerCertSet", PsCascadeServerCertSet},
{"CascadeServerCertDelete", PsCascadeServerCertDelete},
{"CascadeServerCertGet", PsCascadeServerCertGet},
@ -13117,6 +13071,7 @@ UINT PsCascadeSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
t.ClientOption->Port = port;
StrCpy(t.ClientOption->Hostname, sizeof(t.ClientOption->Hostname), host);
t.ClientOption->HintStr[0] = 0;
StrCpy(t.ClientOption->HubName, sizeof(t.ClientOption->HubName), GetParamStr(o, "HUB"));
Free(host);
@ -13223,7 +13178,18 @@ UINT PsCascadeGet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
CtInsert(ct, _UU("CMD_ACCOUNT_COLUMN_NAME"), t.ClientOption->AccountName);
// Host name of the destination VPN Server
StrToUni(tmp, sizeof(tmp), t.ClientOption->Hostname);
if (IsEmptyStr(t.ClientOption->HintStr))
{
StrToUni(tmp, sizeof(tmp), t.ClientOption->Hostname);
}
else
{
char hostname[MAX_SIZE];
StrCpy(hostname, sizeof(hostname), t.ClientOption->Hostname);
StrCat(hostname, sizeof(hostname), "/");
StrCat(hostname, sizeof(hostname), t.ClientOption->HintStr);
StrToUni(tmp, sizeof(tmp), hostname);
}
CtInsert(ct, _UU("CMD_ACCOUNT_COLUMN_HOSTNAME"), tmp);
// The port number to connect to VPN Server
@ -13263,6 +13229,12 @@ UINT PsCascadeGet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
CtInsert(ct, _UU("CMD_ACCOUNT_COLUMN_SERVER_CERT_NAME"), tmp);
}
if (t.CheckServerCert)
{
CtInsert(ct, _UU("CMD_ACCOUNT_COLUMN_ADD_DEFAULT_CA"),
t.AddDefaultCA ? _UU("CMD_MSG_ENABLE") : _UU("CMD_MSG_DISABLE"));
}
// Device name to be used for the connection
StrToUni(tmp, sizeof(tmp), t.ClientOption->DeviceName);
CtInsert(ct, _UU("CMD_ACCOUNT_COLUMN_DEVICE_NAME"), tmp);
@ -14681,6 +14653,134 @@ UINT PsCascadeServerCertDisable(CONSOLE *c, char *cmd_name, wchar_t *str, void *
return 0;
}
// Enable trusting default CA list for cascade connection
UINT PsCascadeDefaultCAEnable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
{
LIST *o;
PS *ps = (PS *)param;
UINT ret = 0;
RPC_CREATE_LINK t;
// Parameter list that can be specified
PARAM args[] =
{
// "name", prompt_proc, prompt_param, eval_proc, eval_param
{"[name]", CmdPrompt, _UU("CMD_CascadeCreate_Prompt_Name"), CmdEvalNotEmpty, NULL},
};
// If virtual HUB is not selected, it's an error
if (ps->HubName == NULL)
{
c->Write(c, _UU("CMD_Hub_Not_Selected"));
return ERR_INVALID_PARAMETER;
}
o = ParseCommandList(c, cmd_name, str, args, sizeof(args) / sizeof(args[0]));
if (o == NULL)
{
return ERR_INVALID_PARAMETER;
}
Zero(&t, sizeof(t));
StrCpy(t.HubName, sizeof(t.HubName), ps->HubName);
t.ClientOption = ZeroMalloc(sizeof(CLIENT_OPTION));
UniStrCpy(t.ClientOption->AccountName, sizeof(t.ClientOption->AccountName), GetParamUniStr(o, "[name]"));
// RPC call
ret = ScGetLink(ps->Rpc, &t);
if (ret != ERR_NO_ERROR)
{
// An error has occured
CmdPrintError(c, ret);
FreeParamValueList(o);
return ret;
}
else
{
// Data change
t.AddDefaultCA = true;
ret = ScSetLink(ps->Rpc, &t);
if (ret != ERR_NO_ERROR)
{
// An error has occured
CmdPrintError(c, ret);
FreeParamValueList(o);
return ret;
}
FreeRpcCreateLink(&t);
}
FreeParamValueList(o);
return 0;
}
// Disable trusting default CA list for cascade connection
UINT PsCascadeDefaultCADisable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
{
LIST *o;
PS *ps = (PS *)param;
UINT ret = 0;
RPC_CREATE_LINK t;
// Parameter list that can be specified
PARAM args[] =
{
// "name", prompt_proc, prompt_param, eval_proc, eval_param
{"[name]", CmdPrompt, _UU("CMD_CascadeCreate_Prompt_Name"), CmdEvalNotEmpty, NULL},
};
// If virtual HUB is not selected, it's an error
if (ps->HubName == NULL)
{
c->Write(c, _UU("CMD_Hub_Not_Selected"));
return ERR_INVALID_PARAMETER;
}
o = ParseCommandList(c, cmd_name, str, args, sizeof(args) / sizeof(args[0]));
if (o == NULL)
{
return ERR_INVALID_PARAMETER;
}
Zero(&t, sizeof(t));
StrCpy(t.HubName, sizeof(t.HubName), ps->HubName);
t.ClientOption = ZeroMalloc(sizeof(CLIENT_OPTION));
UniStrCpy(t.ClientOption->AccountName, sizeof(t.ClientOption->AccountName), GetParamUniStr(o, "[name]"));
// RPC call
ret = ScGetLink(ps->Rpc, &t);
if (ret != ERR_NO_ERROR)
{
// An error has occured
CmdPrintError(c, ret);
FreeParamValueList(o);
return ret;
}
else
{
// Data change
t.AddDefaultCA = false;
ret = ScSetLink(ps->Rpc, &t);
if (ret != ERR_NO_ERROR)
{
// An error has occured
CmdPrintError(c, ret);
FreeParamValueList(o);
return ret;
}
FreeRpcCreateLink(&t);
}
FreeParamValueList(o);
return 0;
}
// Server-specific certificate settings of cascade connection
UINT PsCascadeServerCertSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
{
@ -15434,7 +15534,11 @@ void CmdPrintStatusToListViewEx(CT *ct, RPC_CLIENT_GET_CONNECTION_STATUS *s, boo
}
else
{
if (StrLen(s->CipherName) != 0)
if (StrLen(s->CipherName) != 0 && StrLen(s->ProtocolName) != 0)
{
UniFormat(tmp, sizeof(tmp), _UU("CM_ST_USE_ENCRYPT_TRUE3"), s->ProtocolName, s->CipherName);
}
else if (StrLen(s->CipherName) != 0)
{
UniFormat(tmp, sizeof(tmp), _UU("CM_ST_USE_ENCRYPT_TRUE"), s->CipherName);
}
@ -24273,6 +24377,12 @@ UINT PsConnect(CONSOLE *c, char *host, UINT port, char *hub, char *adminhub, wch
Zero(&o, sizeof(o));
UniStrCpy(o.AccountName, sizeof(o.AccountName), L"VPNCMD");
StrCpy(o.Hostname, sizeof(o.Hostname), host);
UINT i = SearchStrEx(o.Hostname, "/", 0, false);
if (i != INFINITE)
{
StrCpy(o.HintStr, sizeof(o.HintStr), o.Hostname + i + 1);
o.Hostname[i] = 0;
}
o.Port = port;
o.ProxyType = PROXY_DIRECT;
@ -24331,7 +24441,7 @@ UINT PsConnect(CONSOLE *c, char *host, UINT port, char *hub, char *adminhub, wch
PS *ps;
// Success
ps = NewPs(c, rpc, host, port, hub, adminhub, cmdline);
ps = NewPs(c, rpc, o.Hostname, port, hub, adminhub, cmdline);
PsMain(ps);
retcode = ps->LastError;
FreePs(ps);

View File

@ -342,6 +342,7 @@ UINT PcNicDisable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
UINT PcNicList(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
UINT PcAccountList(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
UINT PcAccountCreate(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
void SetRpcClientCreateAccountFromGetAccount(RPC_CLIENT_CREATE_ACCOUNT *c, RPC_CLIENT_GET_ACCOUNT *t);
UINT PcAccountSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
UINT PcAccountGet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
UINT PcAccountDelete(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
@ -365,6 +366,8 @@ UINT PcAccountServerCertEnable(CONSOLE *c, char *cmd_name, wchar_t *str, void *p
UINT PcAccountServerCertDisable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
UINT PcAccountRetryOnServerCertEnable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
UINT PcAccountRetryOnServerCertDisable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
UINT PcAccountDefaultCAEnable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
UINT PcAccountDefaultCADisable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
UINT PcAccountServerCertSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
UINT PcAccountServerCertDelete(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
UINT PcAccountServerCertGet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
@ -510,6 +513,8 @@ UINT PsCascadeProxySocks(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
UINT PsCascadeProxySocks5(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
UINT PsCascadeServerCertEnable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
UINT PsCascadeServerCertDisable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
UINT PsCascadeDefaultCAEnable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
UINT PsCascadeDefaultCADisable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
UINT PsCascadeServerCertSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
UINT PsCascadeServerCertDelete(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
UINT PsCascadeServerCertGet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);

View File

@ -28,6 +28,7 @@
#include "Mayaqua/Object.h"
#include "Mayaqua/Pack.h"
#include "Mayaqua/Str.h"
#include "Mayaqua/Table.h"
#include "Mayaqua/Tick64.h"
#include <stdlib.h>
@ -3047,11 +3048,16 @@ void ConnectionAccept(CONNECTION *c)
// Start the SSL communication
Copy(&s->SslAcceptSettings, &c->Cedar->SslAcceptSettings, sizeof(SSL_ACCEPT_SETTINGS));
if (StartSSLEx2(s, x, k, chain, 0, NULL) == false)
UINT ssl_err = 0;
if (StartSSLEx3(s, x, k, chain, 0, NULL, NULL, &ssl_err) == false)
{
// Failed
AddNoSsl(c->Cedar, &s->RemoteIP);
Debug("ConnectionAccept(): StartSSL() failed\n");
if (ssl_err != 0)
{
SLog(c->Cedar, "LS_SSL_START_ERROR", c->Name, GetUniErrorStr(ssl_err), ssl_err);
}
FreeX(x);
FreeK(k);
FreeXList(chain);
@ -3063,7 +3069,7 @@ void ConnectionAccept(CONNECTION *c)
FreeK(k);
FreeXList(chain);
SLog(c->Cedar, "LS_SSL_START", c->Name, s->CipherName);
SLog(c->Cedar, "LS_SSL_START", c->Name, s->SslVersion, s->CipherName);
Copy(c->CToken_Hash, ctoken_hash, SHA1_SIZE);
@ -3399,6 +3405,11 @@ void CleanupConnection(CONNECTION *c)
Free(c->CipherName);
}
if (c->SslVersion != NULL)
{
Free(c->SslVersion);
}
Free(c);
}

View File

@ -105,6 +105,7 @@ struct CLIENT_OPTION
char pad12[3];
UCHAR HostUniqueKey[SHA1_SIZE]; // Host unique key
char CustomHttpHeader[HTTP_CUSTOM_HEADER_MAX_SIZE]; // Custom HTTP proxy header
char HintStr[MAX_HOST_NAME_LEN + 1]; // Hint string for NAT-T
};
// Client authentication data
@ -222,6 +223,7 @@ struct CONNECTION
X *ServerX; // Server certificate
X *ClientX; // Client certificate
char *CipherName; // Encryption algorithm name
char *SslVersion; // SSL protocol version
UINT64 ConnectedTick; // Time it is connected
IP ClientIp; // Client IP address
char ClientHostname[MAX_HOST_NAME_LEN + 1]; // Client host name

View File

@ -31,6 +31,7 @@ struct LINK
UINT CurrentSendPacketQueueSize; // Current send packet queue size
UINT LastError; // Last error
bool CheckServerCert; // To check the server certificate
bool AddDefaultCA; // Use default trust store
X *ServerCert; // Server certificate
bool LockFlag; // Lock flag
bool *StopAllLinkFlag; // Stop all link flag

View File

@ -1573,6 +1573,12 @@ bool ServerAccept(CONNECTION *c)
c->CipherName = NULL;
if (c->SslVersion != NULL)
{
Free(c->SslVersion);
}
c->SslVersion = NULL;
if (IsEmptyStr(tmp) == false)
{
c->CipherName = CopyStr(tmp);
@ -1592,11 +1598,22 @@ bool ServerAccept(CONNECTION *c)
}
c->CipherName = NULL;
if (c->SslVersion != NULL)
{
Free(c->SslVersion);
}
c->SslVersion = NULL;
if (c->FirstSock != NULL && IsEmptyStr(c->FirstSock->CipherName) == false)
{
c->CipherName = CopyStr(c->FirstSock->CipherName);
}
if (c->FirstSock != NULL && IsEmptyStr(c->FirstSock->SslVersion) == false)
{
c->SslVersion = CopyStr(c->FirstSock->SslVersion);
}
Format(radius_login_opt.In_VpnProtocolState, sizeof(radius_login_opt.In_VpnProtocolState),
"L%u:%s", IPC_LAYER_2, "SEVPN");
}
@ -4297,7 +4314,6 @@ bool ClientCheckServerCert(CONNECTION *c, bool *expired)
X *x;
CHECK_CERT_THREAD_PROC *p;
THREAD *thread;
CEDAR *cedar;
bool ret;
UINT64 start;
// Validate arguments
@ -4312,31 +4328,10 @@ bool ClientCheckServerCert(CONNECTION *c, bool *expired)
}
auth = c->Session->ClientAuth;
cedar = c->Cedar;
if (auth->CheckCertProc == NULL && c->Session->LinkModeClient == false)
if (auth->CheckCertProc == NULL)
{
// No checking function
return true;
}
if (c->Session->LinkModeClient && c->Session->Link->CheckServerCert == false)
{
// It's in cascade connection mode, but do not check the server certificate
return true;
}
if (c->UseTicket)
{
// Check the certificate of the redirected VPN server
if (CompareX(c->FirstSock->RemoteX, c->ServerX) == false)
{
return false;
}
else
{
return true;
}
return false;
}
x = CloneX(c->FirstSock->RemoteX);
@ -4346,63 +4341,6 @@ bool ClientCheckServerCert(CONNECTION *c, bool *expired)
return false;
}
if (CheckXDateNow(x))
{
// Check whether it is signed by the root certificate to trust
if (c->Session->LinkModeClient == false)
{
// Normal VPN Client mode
if (CheckSignatureByCa(cedar, x))
{
// This certificate can be trusted because it is signed
FreeX(x);
return true;
}
}
else
{
// Cascade connection mode
if (CheckSignatureByCaLinkMode(c->Session, x))
{
// This certificate can be trusted because it is signed
FreeX(x);
return true;
}
}
}
if (c->Session->LinkModeClient)
{
if (CheckXDateNow(x))
{
Lock(c->Session->Link->lock);
{
if (c->Session->Link->ServerCert != NULL)
{
if (CompareX(c->Session->Link->ServerCert, x))
{
Unlock(c->Session->Link->lock);
// Exactly match the certificate that is registered in the cascade configuration
FreeX(x);
return true;
}
}
}
Unlock(c->Session->Link->lock);
}
else
{
if (expired != NULL)
{
*expired = true;
}
}
// Verification failure at this point in the case of cascade connection mode
FreeX(x);
return false;
}
p = ZeroMalloc(sizeof(CHECK_CERT_THREAD_PROC));
p->ServerX = x;
p->CheckCertProc = auth->CheckCertProc;
@ -4420,7 +4358,8 @@ bool ClientCheckServerCert(CONNECTION *c, bool *expired)
{
// Send a NOOP periodically for disconnection prevention
start = Tick64();
ClientUploadNoop(c);
// Do not send because we now ask for user permission before sending signature
//ClientUploadNoop(c);
}
if (p->UserSelected)
{
@ -4479,10 +4418,43 @@ REDIRECTED:
s = ClientConnectToServer(c);
if (s == NULL)
{
// Do not retry if untrusted or hostname mismatched
if (c->Session->LinkModeClient == false && (c->Err == ERR_CERT_NOT_TRUSTED || c->Err == ERR_HOSTNAME_MISMATCH)
&& (c->Session->Account == NULL || ! c->Session->Account->RetryOnServerCert))
{
c->Session->ForceStopFlag = true;
}
PrintStatus(sess, L"free");
return false;
}
PrintStatus(sess, _UU("STATUS_5"));
// Prompt user whether to continue on verification errors
if ((c->Err == ERR_CERT_NOT_TRUSTED || c->Err == ERR_HOSTNAME_MISMATCH || c->Err == ERR_SERVER_CERT_EXPIRES) && ClientCheckServerCert(c, &expired) == false)
{
if (expired)
{
c->Err = ERR_SERVER_CERT_EXPIRES;
}
// Do not retry if untrusted or hostname mismatched
if (c->Session->LinkModeClient == false && (c->Err == ERR_CERT_NOT_TRUSTED || c->Err == ERR_HOSTNAME_MISMATCH)
&& (c->Session->Account == NULL || ! c->Session->Account->RetryOnServerCert))
{
c->Session->ForceStopFlag = true;
}
goto CLEANUP;
}
// Check the certificate of the redirected VPN server
if (c->UseTicket && CompareX(s->RemoteX, c->ServerX) == false)
{
c->Err = ERR_CERT_NOT_TRUSTED;
goto CLEANUP;
}
Copy(&server_ip, &s->RemoteIP, sizeof(IP));
if (c->Halt)
@ -4534,8 +4506,6 @@ REDIRECTED:
goto CLEANUP;
}
PrintStatus(sess, _UU("STATUS_5"));
// Receive a Hello packet
Debug("Downloading Hello...\n");
if (ClientDownloadHello(c, s) == false)
@ -4571,27 +4541,6 @@ REDIRECTED:
// During user authentication
c->Session->ClientStatus = CLIENT_STATUS_AUTH;
// Verify the server certificate by the client
if (ClientCheckServerCert(c, &expired) == false)
{
if (expired == false)
{
c->Err = ERR_CERT_NOT_TRUSTED;
}
else
{
c->Err = ERR_SERVER_CERT_EXPIRES;
}
if (c->Session->LinkModeClient == false && c->Err == ERR_CERT_NOT_TRUSTED
&& (c->Session->Account == NULL || ! c->Session->Account->RetryOnServerCert))
{
c->Session->ForceStopFlag = true;
}
goto CLEANUP;
}
PrintStatus(sess, _UU("STATUS_6"));
// Send the authentication data
@ -5045,6 +4994,13 @@ REDIRECTED:
}
c->CipherName = CopyStr(c->FirstSock->CipherName);
if (c->SslVersion != NULL)
{
Free(c->SslVersion);
}
c->SslVersion = CopyStr(c->FirstSock->SslVersion);
}
Unlock(c->lock);
@ -6220,16 +6176,29 @@ SOCK *ClientConnectToServer(CONNECTION *c)
SetTimeout(s, CONNECTING_TIMEOUT);
// Start the SSL communication
if (StartSSLEx(s, x, k, 0, c->ServerName) == false)
UINT err = 0;
if (StartSSLEx3(s, x, k, NULL, 0, c->ServerName, c->Session->SslOption, &err) == false)
{
// SSL communication start failure
Disconnect(s);
ReleaseSock(s);
c->FirstSock = NULL;
c->Err = ERR_SERVER_IS_NOT_VPN;
if (err != 0)
{
c->Err = err;
}
else
{
c->Err = ERR_SERVER_IS_NOT_VPN;
}
return NULL;
}
if (err != 0)
{
c->Err = err;
}
if (s->RemoteX == NULL)
{
// SSL communication start failure
@ -6240,6 +6209,8 @@ SOCK *ClientConnectToServer(CONNECTION *c)
return NULL;
}
CLog(c->Cedar->Client, "LC_SSL_CONNECTED", c->Session->ClientOption->AccountName, s->SslVersion, s->CipherName);
return s;
}
@ -6299,6 +6270,7 @@ SOCK *ClientConnectGetSocket(CONNECTION *c, bool additional_connect)
if (o->ProxyType == PROXY_DIRECT)
{
UINT ssl_err = 0;
UINT nat_t_err = 0;
wchar_t tmp[MAX_SIZE];
UniFormat(tmp, sizeof(tmp), _UU("STATUS_4"), hostname);
@ -6308,9 +6280,10 @@ SOCK *ClientConnectGetSocket(CONNECTION *c, bool additional_connect)
{
// If additional_connect == false, enable trying to NAT-T connection
// If additional_connect == true, follow the IsRUDPSession setting in this session
sock = TcpIpConnectEx(hostname, c->ServerPort,
// In additional connect or redirect we do not need ssl verification as the certificate is always compared with a saved one
sock = TcpIpConnectEx2(hostname, c->ServerPort,
(bool *)cancel_flag, c->hWndForUI, &nat_t_err, (additional_connect ? (!sess->IsRUDPSession) : false),
true, &resolved_ip);
true, ((additional_connect || c->UseTicket) ? NULL : sess->SslOption), &ssl_err, o->HintStr, &resolved_ip);
}
else
{
@ -6333,7 +6306,14 @@ SOCK *ClientConnectGetSocket(CONNECTION *c, bool additional_connect)
// Connection failure
if (nat_t_err != RUDP_ERROR_NAT_T_TWO_OR_MORE)
{
c->Err = ERR_CONNECT_FAILED;
if (ssl_err != 0)
{
c->Err = ssl_err;
}
else
{
c->Err = ERR_CONNECT_FAILED;
}
}
else
{
@ -6342,6 +6322,11 @@ SOCK *ClientConnectGetSocket(CONNECTION *c, bool additional_connect)
return NULL;
}
if (ssl_err != 0)
{
c->Err = ssl_err;
}
}
else
{
@ -6446,23 +6431,31 @@ UINT ProxyCodeToCedar(UINT code)
// TCP connection function
SOCK *TcpConnectEx3(char *hostname, UINT port, UINT timeout, bool *cancel_flag, void *hWnd, bool no_nat_t, UINT *nat_t_error_code, bool try_start_ssl, IP *ret_ip)
{
return TcpConnectEx4(hostname, port, timeout, cancel_flag, hWnd, no_nat_t, nat_t_error_code, try_start_ssl, NULL, NULL, NULL, ret_ip);
}
SOCK *TcpConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, void *hWnd, bool no_nat_t, UINT *nat_t_error_code, bool try_start_ssl, SSL_VERIFY_OPTION *ssl_option, UINT *ssl_err, char *hint_str, IP *ret_ip)
{
#ifdef OS_WIN32
if (hWnd == NULL)
{
#endif // OS_WIN32
return ConnectEx4(hostname, port, timeout, cancel_flag, (no_nat_t ? NULL : VPN_RUDP_SVC_NAME), nat_t_error_code, try_start_ssl, true, ret_ip);
return ConnectEx5(hostname, port, timeout, cancel_flag, (no_nat_t ? NULL : VPN_RUDP_SVC_NAME), nat_t_error_code, try_start_ssl, true, ssl_option, ssl_err, hint_str, ret_ip);
#ifdef OS_WIN32
}
else
{
return WinConnectEx3((HWND)hWnd, hostname, port, timeout, 0, NULL, NULL, nat_t_error_code, (no_nat_t ? NULL : VPN_RUDP_SVC_NAME), try_start_ssl);
return WinConnectEx4((HWND)hWnd, hostname, port, timeout, 0, NULL, NULL, nat_t_error_code, (no_nat_t ? NULL : VPN_RUDP_SVC_NAME), try_start_ssl, ssl_option, ssl_err, hint_str);
}
#endif // OS_WIN32
}
// Connect with TCP/IP
SOCK *TcpIpConnectEx(char *hostname, UINT port, bool *cancel_flag, void *hWnd, UINT *nat_t_error_code, bool no_nat_t, bool try_start_ssl, IP *ret_ip)
{
return TcpIpConnectEx2(hostname, port, cancel_flag, hWnd, nat_t_error_code, no_nat_t, try_start_ssl, NULL, NULL, NULL, ret_ip);
}
SOCK *TcpIpConnectEx2(char *hostname, UINT port, bool *cancel_flag, void *hWnd, UINT *nat_t_error_code, bool no_nat_t, bool try_start_ssl, SSL_VERIFY_OPTION *ssl_option, UINT *ssl_err, char *hint_str, IP *ret_ip)
{
SOCK *s = NULL;
UINT dummy_int = 0;
@ -6477,7 +6470,7 @@ SOCK *TcpIpConnectEx(char *hostname, UINT port, bool *cancel_flag, void *hWnd, U
return NULL;
}
s = TcpConnectEx3(hostname, port, 0, cancel_flag, hWnd, no_nat_t, nat_t_error_code, try_start_ssl, ret_ip);
s = TcpConnectEx4(hostname, port, 0, cancel_flag, hWnd, no_nat_t, nat_t_error_code, try_start_ssl, ssl_option, ssl_err, hint_str, ret_ip);
if (s == NULL)
{
return NULL;

View File

@ -114,6 +114,7 @@ bool ServerAccept(CONNECTION *c);
bool ClientConnect(CONNECTION *c);
SOCK *ClientConnectToServer(CONNECTION *c);
SOCK *TcpIpConnectEx(char *hostname, UINT port, bool *cancel_flag, void *hWnd, UINT *nat_t_error_code, bool no_nat_t, bool try_start_ssl, IP *ret_ip);
SOCK *TcpIpConnectEx2(char *hostname, UINT port, bool *cancel_flag, void *hWnd, UINT *nat_t_error_code, bool no_nat_t, bool try_start_ssl, SSL_VERIFY_OPTION *ssl_option, UINT *ssl_err, char *hint_str, IP *ret_ip);
bool ClientUploadSignature(SOCK *s);
bool ClientDownloadHello(CONNECTION *c, SOCK *s);
bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str);
@ -121,6 +122,7 @@ bool ServerUploadHello(CONNECTION *c);
bool ClientUploadAuth(CONNECTION *c);
SOCK *ClientConnectGetSocket(CONNECTION *c, bool additional_connect);
SOCK *TcpConnectEx3(char *hostname, UINT port, UINT timeout, bool *cancel_flag, void *hWnd, bool no_nat_t, UINT *nat_t_error_code, bool try_start_ssl, IP *ret_ip);
SOCK *TcpConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, void *hWnd, bool no_nat_t, UINT *nat_t_error_code, bool try_start_ssl, SSL_VERIFY_OPTION *ssl_option, UINT *ssl_err, char *hint_str, IP *ret_ip);
UINT ProxyCodeToCedar(UINT code);

View File

@ -10286,6 +10286,7 @@ bool SmLinkEdit(HWND hWnd, SM_HUB *s, wchar_t *name)
a.ClientAuth = CopyClientAuth(t.ClientAuth);
Copy(&a.Policy, &t.Policy, sizeof(POLICY));
a.CheckServerCert = t.CheckServerCert;
a.AddDefaultCA = t.AddDefaultCA;
a.ServerCert = CloneX(t.ServerCert);
a.HideTrustCert = GetCapsBool(s->p->CapsList, "b_support_config_hub");
FreeRpcCreateLink(&t);
@ -19360,7 +19361,14 @@ void SmEditSettingDlgInit(HWND hWnd, SM_EDIT_SETTING *p)
SetText(hWnd, E_ACCOUNT_NAME, s->Title);
// Host name
SetTextA(hWnd, E_HOSTNAME, s->ClientOption.Hostname);
char hostname[MAX_SIZE];
StrCpy(hostname, sizeof(hostname), s->ClientOption.Hostname);
if (IsEmptyStr(s->ClientOption.HintStr) == false)
{
StrCat(hostname, sizeof(hostname), "/");
StrCat(hostname, sizeof(hostname), s->ClientOption.HintStr);
}
SetTextA(hWnd, E_HOSTNAME, hostname);
// Port number
CbSetHeight(hWnd, C_PORT, 18);
@ -19450,6 +19458,16 @@ void SmEditSettingDlgUpdate(HWND hWnd, SM_EDIT_SETTING *p)
GetTxtA(hWnd, E_HOSTNAME, tmp, sizeof(tmp));
Trim(tmp);
UINT i = SearchStrEx(tmp, "/", 0, false);
if (i != INFINITE)
{
StrCpy(s->ClientOption.HintStr, sizeof(s->ClientOption.HintStr), tmp + i + 1);
tmp[i] = 0;
}
else
{
s->ClientOption.HintStr[0] = 0;
}
if (StrCmpi(tmp, s->ClientOption.Hostname) != 0)
{
@ -20211,6 +20229,13 @@ void SmLoadSettingList()
if (s != NULL)
{
// Migrate from old settings that mixed hint string with hostname
UINT i = SearchStrEx(s->ClientOption.Hostname, "/", 0, false);
if (i != INFINITE)
{
StrCpy(s->ClientOption.HintStr, sizeof(s->ClientOption.HintStr), s->ClientOption.Hostname + i + 1);
s->ClientOption.Hostname[i] = 0;
}
Add(sm->SettingList, s);
}
FreeBuf(b);
@ -20273,6 +20298,7 @@ void SmInitDefaultSettingList()
Sha0(s->HashedPassword, "", 0);
UniStrCpy(s->ClientOption.AccountName, sizeof(s->ClientOption.AccountName), s->Title);
StrCpy(s->ClientOption.Hostname, sizeof(s->ClientOption.Hostname), "localhost");
s->ClientOption.HintStr[0] = 0;
s->ClientOption.Port = GC_DEFAULT_PORT;
Add(sm->SettingList, s);
@ -20362,7 +20388,14 @@ void SmRefreshSettingEx(HWND hWnd, wchar_t *select_name)
UniFormat(tmp, sizeof(tmp), _UU("SM_MODE_HUB"), s->HubName);
}
StrToUni(tmp2, sizeof(tmp2), s->ClientOption.Hostname);
char hostname[MAX_SIZE];
StrCpy(hostname, sizeof(hostname), s->ClientOption.Hostname);
if (IsEmptyStr(s->ClientOption.HintStr) == false)
{
StrCat(hostname, sizeof(hostname), "/");
StrCat(hostname, sizeof(hostname), s->ClientOption.HintStr);
}
StrToUni(tmp2, sizeof(tmp2), hostname);
LvInsertAdd(b,
(s->ServerAdminMode ? ICO_SERVER_ONLINE : ICO_HUB),
@ -20781,6 +20814,12 @@ void SmParseCommandLine()
UniStrCpy(o->AccountName, sizeof(o->AccountName), s->Title);
StrCpy(o->Hostname, sizeof(o->Hostname), host);
UINT i = SearchStrEx(o->Hostname, "/", 0, false);
if (i != INFINITE)
{
StrCpy(o->HintStr, sizeof(o->HintStr), o->Hostname + i + 1);
o->Hostname[i] = 0;
}
o->Port = port;
o->ProxyType = PROXY_DIRECT;
StrCpy(o->DeviceName, sizeof(o->DeviceName), "DUMMY");

View File

@ -41,7 +41,7 @@ typedef struct SETTING
char HubName[MAX_HUBNAME_LEN + 1]; // HUB name
UCHAR HashedPassword[SHA1_SIZE]; // Password
CLIENT_OPTION ClientOption; // Client Option
UCHAR Reserved[10240 - sizeof(UINT) * 8 - SHA1_SIZE - HTTP_CUSTOM_HEADER_MAX_SIZE]; // Reserved area
UCHAR Reserved[10240 - sizeof(UINT) * 8 - SHA1_SIZE - HTTP_CUSTOM_HEADER_MAX_SIZE - MAX_HOST_NAME_LEN - 1]; // Reserved area
} SETTING;
// Structure declaration

View File

@ -3400,6 +3400,7 @@ void SiWriteHubLinkCfg(FOLDER *f, LINK *k)
}
CfgAddBool(f, "CheckServerCert", k->CheckServerCert);
CfgAddBool(f, "AddDefaultCA", k->AddDefaultCA);
if (k->ServerCert != NULL)
{
@ -3450,6 +3451,7 @@ void SiLoadHubLinkCfg(FOLDER *f, HUB *h)
{
BUF *b;
k->CheckServerCert = CfgGetBool(f, "CheckServerCert");
k->AddDefaultCA = CfgGetBool(f, "AddDefaultCA");
b = CfgGetBuf(f, "ServerCert");
if (b != NULL)
{
@ -3457,16 +3459,8 @@ void SiLoadHubLinkCfg(FOLDER *f, HUB *h)
FreeBuf(b);
}
if (online)
{
k->Offline = true;
SetLinkOnline(k);
}
else
{
k->Offline = false;
SetLinkOffline(k);
}
k->Offline = !online;
ReleaseLink(k);
}

View File

@ -1270,6 +1270,13 @@ void CleanupSession(SESSION *s)
Free(s->ClientAuth);
}
if (s->SslOption != NULL)
{
FreeXList(s->SslOption->CaList);
FreeX(s->SslOption->SavedCert);
Free(s->SslOption);
}
FreeTraffic(s->Traffic);
Free(s->Name);
@ -1949,23 +1956,55 @@ SESSION *NewClientSessionEx(CEDAR *cedar, CLIENT_OPTION *option, CLIENT_AUTH *au
{
s->ClientAuth->ClientX = CloneX(s->ClientAuth->ClientX);
}
if (s->ClientAuth->ClientK != NULL)
{
if (s->ClientAuth->AuthType != CLIENT_AUTHTYPE_OPENSSLENGINE)
{
s->ClientAuth->ClientK = CloneK(s->ClientAuth->ClientK);
}
else
{
s->ClientAuth->ClientK = OpensslEngineToK(s->ClientAuth->OpensslEnginePrivateKeyName, s->ClientAuth->OpensslEngineName);
}
}
if (s->ClientAuth->ClientK != NULL)
{
if (s->ClientAuth->AuthType != CLIENT_AUTHTYPE_OPENSSLENGINE)
{
s->ClientAuth->ClientK = CloneK(s->ClientAuth->ClientK);
}
else
{
s->ClientAuth->ClientK = OpensslEngineToK(s->ClientAuth->OpensslEnginePrivateKeyName, s->ClientAuth->OpensslEngineName);
}
}
if (StrCmpi(s->ClientOption->DeviceName, LINK_DEVICE_NAME) == 0)
{
// Link client mode
s->LinkModeClient = true;
s->Link = (LINK *)s->PacketAdapter->Param;
if (s->Link != NULL && s->Link->CheckServerCert && s->Link->Hub->HubDb != NULL)
{
// Enable SSL peer verification
s->SslOption = ZeroMalloc(sizeof(SSL_VERIFY_OPTION));
s->SslOption->VerifyPeer = true;
s->SslOption->AddDefaultCA = s->Link->AddDefaultCA;
s->SslOption->VerifyHostname = true;
s->SslOption->SavedCert = CloneX(s->Link->ServerCert);
// Copy trusted CA
LIST *o = s->Link->Hub->HubDb->RootCertList;
s->SslOption->CaList = CloneXList(o);
}
}
else
{
if (account != NULL && account->CheckServerCert)
{
// Enable SSL peer verification
s->SslOption = ZeroMalloc(sizeof(SSL_VERIFY_OPTION));
s->SslOption->VerifyPeer = true;
#ifdef OS_WIN32
s->SslOption->PromptOnVerifyFail = true;
#endif
s->SslOption->AddDefaultCA = account->AddDefaultCA;
s->SslOption->VerifyHostname = true;
s->SslOption->SavedCert = CloneX(account->ServerCert);
// Copy trusted CA
LIST *o = cedar->CaList;
s->SslOption->CaList = CloneXList(o);
}
}
if (StrCmpi(s->ClientOption->DeviceName, SNAT_DEVICE_NAME) == 0)

View File

@ -91,6 +91,7 @@ struct SESSION
char ClientIP[64]; // Client IP
CLIENT_OPTION *ClientOption; // Client connection options
CLIENT_AUTH *ClientAuth; // Client authentication data
SSL_VERIFY_OPTION *SslOption; // SSL verification option
volatile bool Halt; // Halting flag
volatile bool CancelConnect; // Cancel the connection
EVENT *HaltEvent; // Halting event

View File

@ -1329,7 +1329,7 @@ void WinConnectDlgThread(THREAD *thread, void *param)
nat_t_svc_name = d->nat_t_svc_name;
}
s = ConnectEx3(d->hostname, d->port, d->timeout, &d->cancel, nat_t_svc_name, &nat_t_error_code, d->try_start_ssl, false);
s = ConnectEx5(d->hostname, d->port, d->timeout, &d->cancel, nat_t_svc_name, &nat_t_error_code, d->try_start_ssl, false, d->ssl_option, d->ssl_err, d->hint_str, NULL);
d->ret_sock = s;
d->nat_t_error_code = nat_t_error_code;
@ -1398,6 +1398,10 @@ UINT WinConnectDlgProc(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam, void *
// TCP connection with showing the UI
SOCK *WinConnectEx3(HWND hWnd, char *server, UINT port, UINT timeout, UINT icon_id, wchar_t *caption, wchar_t *info, UINT *nat_t_error_code, char *nat_t_svc_name, bool try_start_ssl)
{
return WinConnectEx4(hWnd, server, port, timeout, icon_id, caption, info, nat_t_error_code, nat_t_svc_name, try_start_ssl, NULL, NULL, NULL);
}
SOCK *WinConnectEx4(HWND hWnd, char *server, UINT port, UINT timeout, UINT icon_id, wchar_t *caption, wchar_t *info, UINT *nat_t_error_code, char *nat_t_svc_name, bool try_start_ssl, SSL_VERIFY_OPTION *ssl_option, UINT *ssl_err, char *hint_str)
{
wchar_t tmp[MAX_SIZE];
wchar_t tmp2[MAX_SIZE];
@ -1440,6 +1444,9 @@ SOCK *WinConnectEx3(HWND hWnd, char *server, UINT port, UINT timeout, UINT icon_
d.timeout = timeout;
d.hostname = server;
d.port = port;
d.ssl_option = ssl_option;
d.ssl_err = ssl_err;
d.hint_str = hint_str;
StrCpy(d.nat_t_svc_name, sizeof(d.nat_t_svc_name), nat_t_svc_name);
Dialog(hWnd, D_CONNECT, WinConnectDlgProc, &d);

View File

@ -331,6 +331,9 @@ typedef struct WINCONNECT_DLG_DATA
char nat_t_svc_name[MAX_SIZE];
UINT nat_t_error_code;
bool try_start_ssl;
SSL_VERIFY_OPTION *ssl_option;
UINT *ssl_err;
char *hint_str;
} WINCONNECT_DLG_DATA;
HBITMAP ResizeBitmap(HBITMAP hSrc, UINT src_x, UINT src_y, UINT dst_x, UINT dst_y);
@ -694,6 +697,7 @@ HFONT GetMeiryoFontEx(UINT font_size);
HFONT GetMeiryoFontEx2(UINT font_size, bool bold);
bool ShowWindowsNetworkConnectionDialog();
SOCK *WinConnectEx3(HWND hWnd, char *server, UINT port, UINT timeout, UINT icon_id, wchar_t *caption, wchar_t *info, UINT *nat_t_error_code, char *nat_t_svc_name, bool try_start_ssl);
SOCK *WinConnectEx4(HWND hWnd, char *server, UINT port, UINT timeout, UINT icon_id, wchar_t *caption, wchar_t *info, UINT *nat_t_error_code, char *nat_t_svc_name, bool try_start_ssl, SSL_VERIFY_OPTION *ssl_option, UINT *ssl_err, char *hint_str);
UINT WinConnectDlgProc(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam, void *param);
void WinConnectDlgThread(THREAD *thread, void *param);
void NicInfo(UI_NICINFO *info);

View File

@ -382,6 +382,7 @@ typedef struct RUDP_SESSION RUDP_SESSION;
typedef struct RUDP_SEGMENT RUDP_SEGMENT;
typedef struct CONNECT_SERIAL_PARAM CONNECT_SERIAL_PARAM;
typedef struct CONNECT_TCP_RUDP_PARAM CONNECT_TCP_RUDP_PARAM;
typedef struct SSL_VERIFY_OPTION SSL_VERIFY_OPTION;
typedef struct TCP_PAIR_HEADER TCP_PAIR_HEADER;
typedef struct NIC_ENTRY NIC_ENTRY;
typedef struct HTTP_VALUE HTTP_VALUE;

View File

@ -54,7 +54,7 @@
#ifdef OS_WIN32
#include <iphlpapi.h>
#include <WS2tcpip.h>
#include <wincrypt.h>
#include <IcmpAPI.h>
struct ROUTE_CHANGE_DATA
@ -11630,11 +11630,17 @@ bool StartSSLEx(SOCK *sock, X *x, K *priv, UINT ssl_timeout, char *sni_hostname)
return StartSSLEx2(sock, x, priv, NULL, ssl_timeout, sni_hostname);
}
bool StartSSLEx2(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char *sni_hostname)
{
return StartSSLEx3(sock, x, priv, chain, ssl_timeout, sni_hostname, NULL, NULL);
}
bool StartSSLEx3(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char *sni_hostname, SSL_VERIFY_OPTION *ssl_option, UINT *ssl_err)
{
X509 *x509;
EVP_PKEY *key;
UINT prev_timeout = 1024;
SSL_CTX *ssl_ctx;
UINT dummy_err = 0;
long ssl_verify_err;
#ifdef UNIX_SOLARIS
SOCKET_TIMEOUT_PARAM *ttparam;
@ -11646,6 +11652,10 @@ bool StartSSLEx2(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char
Debug("StartSSL Error: #0\n");
return false;
}
if (ssl_err == NULL)
{
ssl_err = &dummy_err;
}
if (sock->Connected && sock->Type == SOCK_INPROC && sock->ListenMode == false)
{
sock->SecureMode = true;
@ -11717,13 +11727,6 @@ bool StartSSLEx2(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char
}
#endif // SSL_OP_NO_TLSv1_3
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
if (sock->SslAcceptSettings.Override_Security_Level)
{
SSL_CTX_set_security_level(ssl_ctx, sock->SslAcceptSettings.Override_Security_Level_Value);
}
#endif
Unlock(openssl_lock);
if (chain == NULL)
{
@ -11745,6 +11748,62 @@ bool StartSSLEx2(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char
}
Lock(openssl_lock);
}
else
{
// Client mode
if (ssl_option != NULL && ssl_option->VerifyPeer)
{
// Add default trust store
X509_STORE* store = SSL_CTX_get_cert_store(ssl_ctx);
if (ssl_option->AddDefaultCA)
{
#ifdef OS_WIN32
HCERTSTORE hStore = CertOpenSystemStore(0, "ROOT");
if (hStore != NULL)
{
PCCERT_CONTEXT pContext = NULL;
while ((pContext = CertEnumCertificatesInStore(hStore, pContext)))
{
X509 *x509 = d2i_X509(NULL, (const unsigned char**)&pContext->pbCertEncoded, pContext->cbCertEncoded);
if (x509 != NULL)
{
X509_STORE_add_cert(store, x509);
X509_free(x509);
}
}
CertCloseStore(hStore, 0);
}
#else
SSL_CTX_set_default_verify_paths(ssl_ctx);
#endif
}
// Add trust CA specified by user
UINT i;
for (i = 0; i < LIST_NUM(ssl_option->CaList); ++i)
{
X *ca = LIST_DATA(ssl_option->CaList, i);
X509_STORE_add_cert(store, ca->x509);
}
// Allow intermediate CA to be trusted
X509_VERIFY_PARAM *vpm = SSL_CTX_get0_param(ssl_ctx);
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_PARTIAL_CHAIN);
// Enable hostname verification (by default CN is only checked if SAN is not available)
if (ssl_option->VerifyHostname && IsEmptyStr(sni_hostname) == false)
{
X509_VERIFY_PARAM_set1_host(vpm, sni_hostname, StrLen(sni_hostname));
}
}
}
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
if (sock->SslAcceptSettings.Override_Security_Level)
{
SSL_CTX_set_security_level(ssl_ctx, sock->SslAcceptSettings.Override_Security_Level_Value);
}
#endif
sock->ssl = SSL_new(ssl_ctx);
SSL_set_fd(sock->ssl, (int)sock->socket);
@ -11814,6 +11873,27 @@ bool StartSSLEx2(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char
// SSL-Accept failure
Lock(openssl_lock);
{
unsigned long err;
while (err = ERR_get_error())
{
Debug("SSL_accept error %X: %s\n", err, ERR_reason_error_string(err));
if (ERR_GET_LIB(err) == ERR_LIB_SSL)
{
switch (ERR_GET_REASON(err))
{
case SSL_R_UNSUPPORTED_PROTOCOL:
case SSL_R_VERSION_TOO_LOW:
case SSL_R_VERSION_TOO_HIGH:
*ssl_err = 150; // ERR_SSL_PROTOCOL_VERSION
break;
case SSL_R_NO_SHARED_CIPHER:
*ssl_err = 151; // ERR_SSL_SHARED_CIPHER
break;
default:
*ssl_err = 152; // ERR_SSL_HANDSHAKE
}
}
}
SSL_free(sock->ssl);
sock->ssl = NULL;
}
@ -11857,6 +11937,25 @@ bool StartSSLEx2(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char
// SSL-connect failure
Lock(openssl_lock);
{
unsigned long err;
while (err = ERR_get_error())
{
Debug("SSL_connect error %X: %s\n", err, ERR_reason_error_string(err));
if (ERR_GET_LIB(err) == ERR_LIB_SSL)
{
switch (ERR_GET_REASON(err))
{
case SSL_R_UNSUPPORTED_PROTOCOL:
case SSL_R_VERSION_TOO_LOW:
case SSL_R_VERSION_TOO_HIGH:
case SSL_R_TLSV1_ALERT_PROTOCOL_VERSION:
*ssl_err = 150; // ERR_SSL_PROTOCOL_VERSION
break;
default:
*ssl_err = 152; // ERR_SSL_HANDSHAKE
}
}
}
SSL_free(sock->ssl);
sock->ssl = NULL;
}
@ -11878,7 +11977,7 @@ bool StartSSLEx2(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char
Lock(openssl_lock);
{
x509 = SSL_get_peer_certificate(sock->ssl);
ssl_verify_err = SSL_get_verify_result(sock->ssl);
sock->SslVersion = SSL_get_version(sock->ssl);
}
Unlock(openssl_lock);
@ -11894,6 +11993,49 @@ bool StartSSLEx2(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char
sock->RemoteX = X509ToX(x509);
}
// Check verification error
if (ssl_option != NULL && ssl_option->VerifyPeer)
{
if (ssl_verify_err != X509_V_OK)
{
// Clear any error if matching saved certificate and not expired
if (ssl_option->SavedCert != NULL && sock->RemoteX != NULL && CheckXDateNow(sock->RemoteX) && CompareX(ssl_option->SavedCert, sock->RemoteX))
{
ssl_verify_err = X509_V_OK;
}
else
{
Debug("StartSSL: SSL verification error %d\n", ssl_verify_err);
switch (ssl_verify_err)
{
case X509_V_ERR_CERT_HAS_EXPIRED:
*ssl_err = 106; // ERR_SERVER_CERT_EXPIRES
break;
case X509_V_ERR_HOSTNAME_MISMATCH:
*ssl_err = 149; // ERR_HOSTNAME_MISMATCH
break;
default:
*ssl_err = 85; // ERR_CERT_NOT_TRUSTED
}
if (ssl_option->PromptOnVerifyFail == false)
{
// SSL verify failure
Lock(openssl_lock);
{
SSL_free(sock->ssl);
sock->ssl = NULL;
}
Unlock(openssl_lock);
Unlock(sock->ssl_lock);
FreeSSLCtx(ssl_ctx);
return false;
}
}
}
}
// Get the certificate of local host
Lock(openssl_lock);
{
@ -13776,20 +13918,7 @@ void ConnectThreadForTcp(THREAD *thread, void *param)
Unlock(p->CancelLock);
// Start the SSL communication
ssl_ret = StartSSLEx(sock, NULL, NULL, 0, p->Hostname);
if (ssl_ret)
{
// Identify whether the HTTPS server to be connected is a SoftEther VPN
SetTimeout(sock, (10 * 1000));
ssl_ret = DetectIsServerSoftEtherVPN(sock);
SetTimeout(sock, INFINITE);
if (ssl_ret == false)
{
Debug("DetectIsServerSoftEtherVPN Error.\n");
}
}
ssl_ret = StartSSLEx3(sock, NULL, NULL, NULL, 0, p->Hostname, p->SslOption, p->SslErr);
Lock(p->CancelLock);
{
@ -13977,17 +14106,19 @@ void ConnectThreadForIPv4(THREAD *thread, void *param)
Zero(&p4, sizeof(p4));
// p1: TCP
StrCpy(p1.Hostname, sizeof(p1.Hostname), p->Hostname_Original);
StrCpy(p1.Hostname, sizeof(p1.Hostname), p->Hostname);
Copy(&p1.Ip, ip, sizeof(IP));
p1.Port = p->Port;
p1.Timeout = p->Timeout;
p1.CancelFlag = &cancel_flag2;
p1.FinishEvent = finish_event;
p1.Tcp_TryStartSsl = p->Tcp_TryStartSsl;
p1.SslOption = p->SslOption;
p1.SslErr = p->SslErr;
p1.CancelLock = NewLock();
// p2: NAT-T
StrCpy(p2.Hostname, sizeof(p2.Hostname), p->Hostname_Original);
StrCpy(p2.Hostname, sizeof(p2.Hostname), p->Hostname);
Copy(&p2.Ip, ip, sizeof(IP));
p2.Port = p->Port;
p2.Timeout = p->Timeout;
@ -14000,7 +14131,7 @@ void ConnectThreadForIPv4(THREAD *thread, void *param)
p2.Delay = 30; // Delay by 30ms
// p3: over ICMP
StrCpy(p3.Hostname, sizeof(p3.Hostname), p->Hostname_Original);
StrCpy(p3.Hostname, sizeof(p3.Hostname), p->Hostname);
Copy(&p3.Ip, ip, sizeof(IP));
p3.Port = p->Port;
p3.Timeout = p->Timeout;
@ -14011,7 +14142,7 @@ void ConnectThreadForIPv4(THREAD *thread, void *param)
p3.Delay = 200; // Delay by 200ms
// p4: over DNS
StrCpy(p4.Hostname, sizeof(p4.Hostname), p->Hostname_Original);
StrCpy(p4.Hostname, sizeof(p4.Hostname), p->Hostname);
Copy(&p4.Ip, ip, sizeof(IP));
p4.Port = p->Port;
p4.Timeout = p->Timeout;
@ -14219,7 +14350,7 @@ void ConnectThreadForIPv4(THREAD *thread, void *param)
if (s != INVALID_SOCKET)
{
p->Sock = CreateTCPSock(s, false, &current_ip, p->No_Get_Hostname, p->Hostname_Original);
p->Sock = CreateTCPSock(s, false, &current_ip, p->No_Get_Hostname, p->Hostname);
break;
}
}
@ -14306,7 +14437,7 @@ void ConnectThreadForIPv6(THREAD *thread, void *param)
if (s != INVALID_SOCKET)
{
p->Sock = CreateTCPSock(s, true, &current_ip, p->No_Get_Hostname, p->Hostname_Original);
p->Sock = CreateTCPSock(s, true, &current_ip, p->No_Get_Hostname, p->Hostname);
break;
}
}
@ -14408,11 +14539,13 @@ SOCK *ConnectEx3(char *hostname, UINT port, UINT timeout, bool *cancel_flag, cha
return ConnectEx4(hostname, port, timeout, cancel_flag, nat_t_svc_name, nat_t_error_code, try_start_ssl, no_get_hostname, NULL);
}
SOCK *ConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool no_get_hostname, IP *ret_ip)
{
return ConnectEx5(hostname, port, timeout, cancel_flag, nat_t_svc_name, nat_t_error_code, try_start_ssl, no_get_hostname, NULL, NULL, NULL, ret_ip);
}
SOCK *ConnectEx5(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool no_get_hostname, SSL_VERIFY_OPTION *ssl_option, UINT *ssl_err, char *hint_str, IP *ret_ip)
{
bool dummy = false;
bool use_natt = false;
char hostname_original[MAX_SIZE];
char hint_str[MAX_SIZE];
bool force_use_natt = false;
UINT dummy_int = 0;
IP dummy_ret_ip;
@ -14440,33 +14573,15 @@ SOCK *ConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, cha
ret_ip = &dummy_ret_ip;
}
Zero(hint_str, sizeof(hint_str));
StrCpy(hostname_original, sizeof(hostname_original), hostname);
use_natt = (IsEmptyStr(nat_t_svc_name) ? false : true);
if (use_natt)
{
// In case of using NAT-T, split host name if the '/' is included in the host name
UINT i = SearchStrEx(hostname, "/", 0, false);
if (i == INFINITE)
if (IsEmptyStr(hint_str) == false)
{
// Not included
StrCpy(hostname_original, sizeof(hostname_original), hostname);
}
else
{
// Included
StrCpy(hostname_original, sizeof(hostname_original), hostname);
hostname_original[i] = 0;
// Force to use the NAT-T
force_use_natt = true;
// Copy the hint string
StrCpy(hint_str, sizeof(hint_str), hostname + i + 1);
if (StrCmpi(hint_str, "tcp") == 0 || StrCmpi(hint_str, "disable") == 0
|| StrCmpi(hint_str, "disabled") == 0
|| StrCmpi(hint_str, "no") == 0 || StrCmpi(hint_str, "none") == 0)
@ -14477,10 +14592,6 @@ SOCK *ConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, cha
}
}
}
else
{
StrCpy(hostname_original, sizeof(hostname_original), hostname);
}
LIST *iplist_v6 = NULL;
LIST *iplist_v4 = NULL;
@ -14504,7 +14615,7 @@ SOCK *ConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, cha
else
{
// Forward resolution
if (DnsResolveEx(&iplist_v6, &iplist_v4, hostname_original, 0, cancel_flag) == false)
if (DnsResolveEx(&iplist_v6, &iplist_v4, hostname, 0, cancel_flag) == false)
{
return NULL;
}
@ -14514,9 +14625,9 @@ SOCK *ConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, cha
EVENT *finish_event;
THREAD *t4 = NULL;
THREAD *t6 = NULL;
UINT64 start_tick = Tick64();
bool cancel_flag2 = false;
bool no_delay_flag = false;
IP ret_ip4, ret_ip6;
finish_event = NewEvent();
@ -14530,13 +14641,14 @@ SOCK *ConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, cha
p6.Port = port;
p6.Timeout = timeout;
StrCpy(p6.Hostname, sizeof(p6.Hostname), hostname);
StrCpy(p6.Hostname_Original, sizeof(p6.Hostname_Original), hostname_original);
p6.No_Get_Hostname = no_get_hostname;
p6.CancelFlag = &cancel_flag2;
p6.NoDelayFlag = &no_delay_flag;
p6.FinishEvent = finish_event;
p6.Tcp_TryStartSsl = try_start_ssl;
p6.Ret_Ip = ret_ip;
p6.SslOption = ssl_option;
p6.SslErr = ssl_err;
p6.Ret_Ip = &ret_ip6;
p6.RetryDelay = 250;
p6.Delay = 0;
t6 = NewThread(ConnectThreadForIPv6, &p6);
@ -14549,7 +14661,6 @@ SOCK *ConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, cha
p4.Port = port;
p4.Timeout = timeout;
StrCpy(p4.Hostname, sizeof(p4.Hostname), hostname);
StrCpy(p4.Hostname_Original, sizeof(p4.Hostname_Original), hostname_original);
StrCpy(p4.HintStr, sizeof(p4.HintStr), hint_str);
p4.No_Get_Hostname = no_get_hostname;
p4.CancelFlag = &cancel_flag2;
@ -14558,9 +14669,11 @@ SOCK *ConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, cha
StrCpy(p4.NatT_SvcName, sizeof(p4.NatT_SvcName), nat_t_svc_name);
p4.FinishEvent = finish_event;
p4.Tcp_TryStartSsl = try_start_ssl;
p4.SslOption = ssl_option;
p4.SslErr = ssl_err;
p4.Use_NatT = use_natt;
p4.Force_NatT = force_use_natt;
p4.Ret_Ip = ret_ip;
p4.Ret_Ip = &ret_ip4;
p4.RetryDelay = 250;
p4.Delay = 250; // Delay by 250ms to prioritize IPv6 (RFC 6555 recommends 150-250ms, Chrome uses 300ms)
t4 = NewThread(ConnectThreadForIPv4, &p4);
@ -14624,7 +14737,7 @@ SOCK *ConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, cha
{
Disconnect(p4.Sock);
ReleaseSock(p4.Sock);
Copy(ret_ip, &ret_ip6, sizeof(IP));
return p6.Sock;
}
@ -14632,7 +14745,7 @@ SOCK *ConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, cha
{
Disconnect(p6.Sock);
ReleaseSock(p6.Sock);
Copy(ret_ip, &ret_ip4, sizeof(IP));
return p4.Sock;
}

View File

@ -807,7 +807,6 @@ struct CONNECT_SERIAL_PARAM
UINT Port;
UINT Timeout;
char Hostname[MAX_SIZE];
char Hostname_Original[MAX_SIZE];
char HintStr[MAX_SIZE];
bool No_Get_Hostname;
bool *CancelFlag;
@ -822,6 +821,8 @@ struct CONNECT_SERIAL_PARAM
UINT Delay;
UINT RetryDelay;
bool Tcp_TryStartSsl;
SSL_VERIFY_OPTION *SslOption;
UINT *SslErr;
bool Use_NatT;
bool Force_NatT;
IP *Ret_Ip;
@ -848,11 +849,23 @@ struct CONNECT_TCP_RUDP_PARAM
UINT RUdpProtocol;
UINT Delay;
bool Tcp_TryStartSsl;
SSL_VERIFY_OPTION *SslOption;
UINT *SslErr;
LOCK *CancelLock;
SOCK *CancelDisconnectSock;
bool Tcp_InNegotiation;
};
struct SSL_VERIFY_OPTION
{
bool VerifyPeer; // Whether to verify SSL peer
bool PromptOnVerifyFail; // Prompt on verification failure (Windows)
bool AddDefaultCA; // Use default trust store
bool VerifyHostname; // Verify server hostname
LIST *CaList; // Trusted CA list
X *SavedCert; // Saved server certificate
};
#define SSL_DEFAULT_CONNECT_TIMEOUT (15 * 1000) // SSL default timeout
// Header for TCP Pair
@ -1090,6 +1103,7 @@ SOCK *ConnectEx(char *hostname, UINT port, UINT timeout);
SOCK *ConnectEx2(char *hostname, UINT port, UINT timeout, bool *cancel_flag);
SOCK *ConnectEx3(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool no_get_hostname);
SOCK *ConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool no_get_hostname, IP *ret_ip);
SOCK *ConnectEx5(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool no_get_hostname, SSL_VERIFY_OPTION *ssl_option, UINT *ssl_err, char *hint_str, IP *ret_ip);
SOCKET ConnectTimeoutIPv4(IP *ip, UINT port, UINT timeout, bool *cancel_flag);
bool SetSocketBufferSize(SOCKET s, bool send, UINT size);
UINT SetSocketBufferSizeWithBestEffort(SOCKET s, bool send, UINT size);
@ -1114,6 +1128,7 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size);
bool StartSSL(SOCK *sock, X *x, K *priv);
bool StartSSLEx(SOCK *sock, X *x, K *priv, UINT ssl_timeout, char *sni_hostname);
bool StartSSLEx2(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char *sni_hostname);
bool StartSSLEx3(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char *sni_hostname, SSL_VERIFY_OPTION *ssl_option, UINT *ssl_err);
bool AddChainSslCert(struct ssl_ctx_st *ctx, X *x);
void AddChainSslCertOnDirectory(struct ssl_ctx_st *ctx);
bool SendAll(SOCK *sock, void *data, UINT size, bool secure);

View File

@ -1505,7 +1505,7 @@ BEGIN
EDITTEXT S_DESCRIPTION,7,191,289,45,ES_MULTILINE | ES_AUTOVSCROLL | ES_READONLY | ES_WANTRETURN | WS_VSCROLL
END
D_CM_ACCOUNT DIALOGEX 0, 0, 451, 333
D_CM_ACCOUNT DIALOGEX 0, 0, 451, 346
STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU
CAPTION "@D_CM_ACCOUNT"
FONT 9, "MS Shell Dlg", 400, 0, 0x80
@ -1535,14 +1535,15 @@ BEGIN
CONTROL "@R_SOCKS",R_SOCKS,"Button",BS_AUTORADIOBUTTON,72,194,135,10
CONTROL "@R_SOCKS5",R_SOCKS5,"Button",BS_AUTORADIOBUTTON,72,204,135,10
PUSHBUTTON "@B_PROXY_CONFIG",B_PROXY_CONFIG,74,218,114,15
GROUPBOX "@STATIC11",S_STATIC11,7,245,206,69
GROUPBOX "@STATIC11",S_STATIC11,7,245,206,82
ICON ICO_CERT,IDC_STATIC,14,255,20,18
CONTROL "@R_CHECK_CERT",R_CHECK_CERT,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,41,259,133,9
PUSHBUTTON "@B_TRUST",B_TRUST,41,273,157,15
PUSHBUTTON "@B_SERVER_CERT",B_SERVER_CERT,41,291,77,15
PUSHBUTTON "@B_VIEW_SERVER_CERT",B_VIEW_SERVER_CERT,123,291,75,15
CONTROL "@R_HIDE",R_HIDE,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,318,148,9
CONTROL "@R_HIDE2",R_HIDE2,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,158,318,132,9
CONTROL "@R_TRUST_DEFAULT",R_TRUST_DEFAULT,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,41,273,133,9
PUSHBUTTON "@B_TRUST",B_TRUST,41,287,157,15
PUSHBUTTON "@B_SERVER_CERT",B_SERVER_CERT,41,305,77,15
PUSHBUTTON "@B_VIEW_SERVER_CERT",B_VIEW_SERVER_CERT,123,305,75,15
CONTROL "@R_HIDE",R_HIDE,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,331,148,9
CONTROL "@R_HIDE2",R_HIDE2,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,158,331,132,9
CONTROL "",L_VLAN,"SysListView32",LVS_REPORT | LVS_SINGLESEL | LVS_SHOWSELALWAYS | LVS_SHAREIMAGELISTS | LVS_NOCOLUMNHEADER | LVS_NOSORTHEADER | WS_BORDER | WS_TABSTOP,233,17,200,66
GROUPBOX "@S_VLAN_GROUP",S_VLAN_GROUP,224,5,220,88
LTEXT "@S_POLICY_1",S_POLICY_1,258,17,163,24,NOT WS_VISIBLE

View File

@ -1028,6 +1028,7 @@
#define L_VALUES_LIST 1519
#define B_HTTP_HEADER 1520
#define B_NEW 1521
#define R_TRUST_DEFAULT 1521
#define B_CLEAR 1522
#define B_ONLINE 1655
#define D_NM_CONNECT 1998
@ -1212,7 +1213,7 @@
#define _APS_NO_MFC 1
#define _APS_NEXT_RESOURCE_VALUE 244
#define _APS_NEXT_COMMAND_VALUE 40111
#define _APS_NEXT_CONTROL_VALUE 1521
#define _APS_NEXT_CONTROL_VALUE 1522
#define _APS_NEXT_SYMED_VALUE 102
#endif
#endif

View File

@ -214,6 +214,10 @@ ERR_145 不可接受的操作。使用 VPN Gate 实用工具修改 VPN Gate
ERR_146 VPN Gate 服务运行在 VPN 客户端程序内。在此屏幕上,你不能停止 VPN Gate 服务。使用 VPN 客户端管理器来启用或禁用 VPN Gate 服务。
ERR_147 不支持此功能。它尚未在 SoftEther VPN 的开源版本上实施。
ERR_148 VPN 连接被中断,因为该系统被暂停。
ERR_149 目标 VPN Server 的证书与指定的主机名不匹配。
ERR_150 找不到连接双方都支持的 TLS 版本。这通常意味着一方可能正在使用已被另一方禁用的过时的 TLS 版本。
ERR_151 找不到连接双方都支持的加密算法,或者指定的算法与服务器证书不兼容。
ERR_152 TLS 握手失败。
#关于许可证
@ -843,6 +847,7 @@ CM_ST_NO_VLAN
CM_ST_USE_ENCRYPT 加密
CM_ST_USE_ENCRYPT_TRUE 已启用 (算法: %S)
CM_ST_USE_ENCRYPT_TRUE2 已启用
CM_ST_USE_ENCRYPT_TRUE3 已启用 (%S 算法: %S)
CM_ST_USE_ENCRYPT_FALSE 已禁用 (不加密)
CM_ST_USE_COMPRESS 使用压缩
CM_ST_UDP_ACCEL_ENABLED 支持 UDP 加速
@ -1782,8 +1787,9 @@ LS_HUB_STOP 虚拟 HUB "%S" 已关闭。
LS_HUB_MAC 虚拟 HUB "%S" 的 MAC 地址是 "%S"。
LS_NODE_INFO_TAG 客户端产品名:"%S",客户端版本:%u客户端构建号%u服务端产品名"%S",服务端版本:%u服务端构建号%u客户端操作系统名"%S",客户端操作系统版本:"%S",客户端产品 ID"%S",客户端主机名:"%S",客户端 IP 地址:"%S",客户端端口号:%u服务端主机名"%S",服务端 IP 地址:"%S",服务端端口号:%u代理主机名"%S",代理 IP 地址:"%S",代理端口号:%u虚拟 HUB 名:"%S",客户端唯一 ID "%S"
LS_CONNECTION_START_1 客户端 (IP 地址:%S主机名"%S",端口号:%u) 的连接 "%S" 已建立。
LS_SSL_START_ERROR 无法启动连接 "%S" 的 SSL 通信。错误: %s (代码 %u)
LS_CONNECTION_END_1 连接 "%S" 已结束。
LS_SSL_START 连接 "%S" 的 SSL 通信已启动。加密算法名为 "%S"。
LS_SSL_START 连接 "%S" 的 SSL 通信已启动。协议版本是 %S。加密算法名为 "%S"。
LS_CONNECTION_ERROR 连接 "%S"因原因 "%s" (代码 %u)已终止。
LS_FARMMEMBER_NOT_ADMIN 连接 "%S": 服务端是群集成员,但客户端在非管理员 (%S) 用户情况下,尝试直接与虚拟 HUB "%S" 连接。客户端用户名为 "%S"。访问被拒绝。
LS_HUB_NOT_FOUND 连接 "%S": 客户端正在尝试连接的虚拟 HUB "%S" 在服务端上不存在。
@ -1811,6 +1817,8 @@ LS_LICENSE_VIOLATION_DETECTED 发现许可证违反错误,一个不同的 VPN
LS_API_AUTH_OK HTTPS API client "%r:%u" (%S): Administration mode: "%S": The embedded HTTPS web server accepted the successful login. Username: "%S", Method: "%S", Path: "%S"
LS_API_AUTH_ERROR HTTPS API client "%r:%u" (%S): The embedded HTTPS web server refused a login attempt. Username: "%S", Method: "%S", Path: "%S"
LS_API_RPC_CALL HTTPS API client "%r:%u" (%S): The client called a JSON-API. Method: "%S", Returned error code: %u (0 = success), Returned error message: "%s"
LS_AZURE_START 收到来自客户端 (IP 地址:%S端口号%u) 的 VPN Azure 连接请求。
LS_AZURE_SSL_ERROR 无法启动与 VPN Azure 中继服务器的 SSL 通信。错误: %s (代码 %u)
# (Proto log)
@ -2106,6 +2114,7 @@ LC_DELETE_ACCOUNT 已删除 VPN 连接设置 "%s"。
LC_RENAME_ACCOUNT 已变更 VPN 连接设置名 "%s" 为 "%s"。
LC_CONNECT 已开始 VPN 连接设置 "%s" 的连接处理。
LC_CONNECT_1 VPN 连接设置 "%s": 第 %u 次连接操作开始。
LC_SSL_CONNECTED VPN 连接设置 "%s": SSL 通信已启动。协议版本是 %S。加密算法名为 "%S"。
LC_CONNECT_2 VPN 连接设置 "%s": 连接完成。会话名: "%S"。
LC_CONNECT_ERROR VPN 连接设置 "%s": 连接断开或连接失败。原因: %s (代码 %u)
LC_DISCONNECT VPN 连接设置 "%s" 断开中。
@ -2342,6 +2351,7 @@ R_SOCKS5 通过 SOCKS5 代理服务器连接(&S)
B_PROXY_CONFIG 代理服务器设置(&R)
STATIC11 服务端证书验证选项(&F):
R_CHECK_CERT 总是验证服务端证书(&C)
R_TRUST_DEFAULT 信任系统证书存储
B_TRUST 管理可信发证机关证书列表(&C)
B_SERVER_CERT 指定特定证书(&S)
B_VIEW_SERVER_CERT 查看特定证书(&V)
@ -4412,7 +4422,8 @@ CMD_ACCOUNT_COLUMN_PROXY_PORT 代理服务器的端口号
CMD_ACCOUNT_COLUMN_PROXY_USERNAME 代理服务器的用户名
CMD_ACCOUNT_COLUMN_SERVER_CERT_USE 验证服务器证书
CMD_ACCOUNT_COLUMN_SERVER_CERT_NAME 注册的服务器个人证书
CMD_ACCOUNT_COLUMN_RETRY_ON_SERVER_CERT Retry on Untrusted Server Certificate
CMD_ACCOUNT_COLUMN_RETRY_ON_SERVER_CERT 遇到不信任的证书时重试
CMD_ACCOUNT_COLUMN_ADD_DEFAULT_CA 信任系统证书存储
CMD_ACCOUNT_COLUMN_DEVICE_NAME 用于连接的设备名
CMD_ACCOUNT_COLUMN_AUTH_TYPE 验证类型
CMD_ACCOUNT_COLUMN_AUTH_USERNAME 用户名
@ -4427,7 +4438,7 @@ CMD_ACCOUNT_COLUMN_BRIDGE_ROUTER 通过网桥 / 路由模式连接
CMD_ACCOUNT_COLUMN_MONITOR 通过监测模式连接
CMD_ACCOUNT_COLUMN_NO_TRACKING 不要调整路由表
CMD_ACCOUNT_COLUMN_QOS_DISABLE 不要使用 QoS 控制功能
CMD_ACCOUNT_COLUMN_DISABLEUDP Disable UDP Acceleration
CMD_ACCOUNT_COLUMN_DISABLEUDP 禁用 UDP 加速功能
# Debugging Information Collecting Tool
@ -5515,6 +5526,20 @@ CMD_CascadeServerCertDisable_Args CascadeServerCertDisable [name]
CMD_CascadeServerCertDisable_[name] 指定级联名称来改变设置。
# CascadeDefaultCAEnable 命令
CMD_CascadeDefaultCAEnable 启用信任系统证书存储选项
CMD_CascadeDefaultCAEnable_Help 当启用服务器证书验证时,使用此选项来启用信任系统证书存储的证书。\n如果禁用服务器证书验证则此选项不执行任何操作。
CMD_CascadeDefaultCAEnable_Args CascadeDefaultCAEnable [name]
CMD_CascadeDefaultCAEnable_[name] 指定级联名称来改变设置。
# CascadeDefaultCADisable 命令
CMD_CascadeDefaultCADisable 禁用信任系统证书存储选项
CMD_CascadeDefaultCADisable_Help 当启用服务器证书验证时,使用此选项来禁用信任系统证书存储的证书。\n如果禁用服务器证书验证则此选项不执行任何操作。
CMD_CascadeDefaultCADisable_Args CascadeDefaultCADisable [name]
CMD_CascadeDefaultCADisable_[name] 指定级联名称来改变设置。
# CascadeServerCertSet 命令
CMD_CascadeServerCertSet 设置级联连接的服务器特定证书
CMD_CascadeServerCertSet_Help 指定已经在当前虚拟 HUB 注册的级联连接,当此连接和 VPN Server 之间通信时,事先将连接方提供的 SSL 证书注册。\n如果启用此选项需要将在目标服务器的证书事先通过指令设置到级联的连接设置中或者在虚拟 HUB 的可信任证书列表中,运行 CAAdd 指令,将有服务器的 SSL 证书署名的路线证书添加进去。\n当启用服务器证书验证选项时如果 VPN Server 提供的证书不可信,连接将断开,并重试。\n此命令在集群虚拟 HUB 中不能运行。
@ -6819,6 +6844,20 @@ CMD_AccountRetryOnServerCertDisable_Args AccountRetryOnServerCertDisable [name]
CMD_AccountRetryOnServerCertDisable_[name] Specify the name of the VPN Connection Setting whose setting you want to change.
# AccountDefaultCAEnable 命令
CMD_AccountDefaultCAEnable 启用信任系统证书存储选项
CMD_AccountDefaultCAEnable_Help 当启用服务器证书验证时,使用此选项来启用信任系统证书存储的证书。\n如果禁用服务器证书验证则此选项不执行任何操作。
CMD_AccountDefaultCAEnable_Args AccountDefaultCAEnable [name]
CMD_AccountDefaultCAEnable_[name] 指定要更改设置的连接设置名。
# AccountDefaultCADisable 命令
CMD_AccountDefaultCADisable 禁用信任系统证书存储选项
CMD_AccountDefaultCADisable_Help 当启用服务器证书验证时,使用此选项来禁用信任系统证书存储的证书。\n如果禁用服务器证书验证则此选项不执行任何操作。
CMD_AccountDefaultCADisable_Args AccountDefaultCADisable [name]
CMD_AccountDefaultCADisable_[name] 指定要更改设置的连接设置名。
# AccountServerCertSet 命令
CMD_AccountServerCertSet 设置连接设置的服务器固有证明书
CMD_AccountServerCertSet_Help 指定注册到 VPN Client 的连接设置,其连接设置连接到 VPN Server 时,预先注册与连接目标的 VPN Server 提交的 SSL 证书相同的证书。\n如果启动了连接设置的服务器证书验证选项可以预先将连接目标服务器的 SSL 证书以此指令保存在连接设置的设置内,或需要将服务器的 SSL 证书签名了的根证书,以 CAAdd 指令注册到虚拟 HUB 信任的证明机构的证书列表中。\n验证连接设置的服务器证书的选项处于启动状态连接了的 VPN Server 的证书不可信时,立即解除连接,反复重试。

View File

@ -212,6 +212,11 @@ ERR_145 Unacceptable operation. Use the VPN Gate Utility to modify the conne
ERR_146 The VPN Gate Service is running inside the VPN Client program. You cannot stop the VPN Gate Service on this screen. Use the VPN Client Manager to enable or disable the VPN Gate Service.
ERR_147 This feature is not supported. It hasn't been implemented yet on the open-source version of SoftEther VPN.
ERR_148 The VPN connection was disconnected because the system is being suspended.
ERR_149 The destination VPN Server's certificate does not match the specified hostname.
ERR_150 Failed to find the TLS version that is supported by both sides. This usually means that one side may be using an obsolete TLS version which is diabled by the other side.
ERR_151 Failed to find an available cipher that is supported by both sides, or the cipher specified is not compatible with the server certificate.
ERR_152 TLS handshake has failed.
# Concerning licenses
LICENSE_INFO_URL https://selinks.org/?new_license
@ -837,6 +842,7 @@ CM_ST_NO_VLAN -
CM_ST_USE_ENCRYPT Encryption
CM_ST_USE_ENCRYPT_TRUE Enabled (Algorithm: %S)
CM_ST_USE_ENCRYPT_TRUE2 Enabled
CM_ST_USE_ENCRYPT_TRUE3 Enabled (%S Algorithm: %S)
CM_ST_USE_ENCRYPT_FALSE Disabled (No Encryption)
CM_ST_USE_COMPRESS Use of Compression
CM_ST_UDP_ACCEL_ENABLED UDP Acceleration is Supported
@ -1767,8 +1773,9 @@ LS_HUB_STOP Virtual Hub "%S" has been stopped.
LS_HUB_MAC The MAC address of Virtual Hub "%S" is "%S".
LS_NODE_INFO_TAG Client product name: "%S", Client version: %u, Client build number: %u, Server product name: "%S", Server version: %u, Server build number: %u, Client OS name: "%S", Client OS version: "%S", Client product ID: "%S", Client host name: "%S", Client IP address: "%S", Client port number: %u, Server host name: "%S", Server IP address: "%S", Server port number: %u, Proxy host name: "%S", Proxy IP address: "%S", Proxy port number: %u, Virtual Hub name: "%S", Client unique ID: "%S"
LS_CONNECTION_START_1 For the client (IP address: %S, host name: "%S", port number: %u), connection "%S" has been created.
LS_SSL_START_ERROR Failed to start SSL communication for connection "%S". Error: %s (code %u)
LS_CONNECTION_END_1 Connection "%S" has been terminated.
LS_SSL_START SSL communication for connection "%S" has been started. The encryption algorithm name is "%S".
LS_SSL_START SSL communication for connection "%S" has been started. The protocol version is %S. The encryption algorithm name is "%S".
LS_CONNECTION_ERROR Connection "%S" terminated by the cause "%s" (code %u).
LS_FARMMEMBER_NOT_ADMIN Connection "%S": Although the server is a cluster member, the client attempted that to directly connect to the Virtual Hub "%S" while not being administrator user "%S". The user name provided by the client is "%S". Access is refused.
LS_HUB_NOT_FOUND Connection "%S": Virtual Hub "%S" that the client is trying to connect to does not exist on the server.
@ -1796,6 +1803,8 @@ LS_LICENSE_VIOLATION_DETECTED A license violation has been detected. A different
LS_API_AUTH_OK HTTPS API client "%r:%u" (%S): Administration mode: "%S": The embedded HTTPS web server accepted the successful login. Username: "%S", Method: "%S", Path: "%S"
LS_API_AUTH_ERROR HTTPS API client "%r:%u" (%S): The embedded HTTPS web server refused a login attempt. Username: "%S", Method: "%S", Path: "%S"
LS_API_RPC_CALL HTTPS API client "%r:%u" (%S): The client called a JSON-API. Method: "%S", Returned error code: %u (0 = success), Returned error message: "%s"
LS_AZURE_START Received VPN Azure connection request from the client (IP address: %S, port number: %u).
LS_AZURE_SSL_ERROR Failed to start SSL communication with VPN Azure relay server. Error: %s (code %u)
# (Proto log)
@ -2089,6 +2098,7 @@ LC_DELETE_ACCOUNT The VPN Connection Setting "%s" has been deleted.
LC_RENAME_ACCOUNT The name of VPN Connection Setting "%s" has been changed to "%s".
LC_CONNECT Connection processing for VPN Connection Setting "%s" has started.
LC_CONNECT_1 VPN Connection Setting "%s": Connection operation starting (this is now %u times).
LC_SSL_CONNECTED VPN Connection Setting "%s": SSL communication has been started. The protocol version is %S. The encryption algorithm name is "%S".
LC_CONNECT_2 VPN Connection Setting "%s": Now connected. Session name: "%S"
LC_CONNECT_ERROR VPN Connection Setting "%s": The connection has been either disconnected or it failed. Cause: %s (code %u)
LC_DISCONNECT Disconnecting the VPN Connection Setting "%s".
@ -2325,6 +2335,7 @@ R_SOCKS5 Connect via &SOCKS5 Proxy Server
B_PROXY_CONFIG P&roxy Server Setting
STATIC11 Server Certificate Veri&fication Option:
R_CHECK_CERT Always Verify Server &Certificate
R_TRUST_DEFAULT Trust System Certificate Store
B_TRUST Manage Trusted CA &Certificate List
B_SERVER_CERT &Specify Individual Cert
B_VIEW_SERVER_CERT Show Indi&vidual Cert
@ -4399,6 +4410,7 @@ CMD_ACCOUNT_COLUMN_PROXY_USERNAME Proxy Server User Name
CMD_ACCOUNT_COLUMN_SERVER_CERT_USE Verify Server Certificate
CMD_ACCOUNT_COLUMN_SERVER_CERT_NAME Registered Server Individual Certificate
CMD_ACCOUNT_COLUMN_RETRY_ON_SERVER_CERT Retry on Untrusted Server Certificate
CMD_ACCOUNT_COLUMN_ADD_DEFAULT_CA Trust System Certificate Store
CMD_ACCOUNT_COLUMN_DEVICE_NAME Device Name Used for Connection
CMD_ACCOUNT_COLUMN_AUTH_TYPE Authentication Type
CMD_ACCOUNT_COLUMN_AUTH_USERNAME User Name
@ -5499,6 +5511,20 @@ CMD_CascadeServerCertDisable_Args CascadeServerCertDisable [name]
CMD_CascadeServerCertDisable_[name] Specify the name of the Cascade Connection whose setting you want to change.
# CascadeDefaultCAEnable command
CMD_CascadeDefaultCAEnable Enable Trust System Certificate Store Option
CMD_CascadeDefaultCAEnable_Help When server certificate verification is enabled, use this to enable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing.
CMD_CascadeDefaultCAEnable_Args CascadeDefaultCAEnable [name]
CMD_CascadeDefaultCAEnable_[name] Specify the name of the Cascade Connection whose setting you want to change.
# CascadeDefaultCADisable command
CMD_CascadeDefaultCADisable Disable Trust System Certificate Store Option
CMD_CascadeDefaultCADisable_Help When server certificate verification is enabled, use this to disable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing.
CMD_CascadeDefaultCADisable_Args CascadeDefaultCADisable [name]
CMD_CascadeDefaultCADisable_[name] Specify the name of the Cascade Connection whose setting you want to change.
# CascadeServerCertSet command
CMD_CascadeServerCertSet Set the Server Individual Certificate for Cascade Connection
CMD_CascadeServerCertSet_Help When a Cascade Connection registered on the currently managed Virtual Hub is specified and that Cascade Connection connects to a VPN Server, use this to register beforehand the same certificate as the SSL certificate provided by the destination VPN Server. \nIf the option to verify server certificates for Cascade Connections is enabled, you must either use this command to save the connection destination server SSL certificate beforehand in the Cascade Connection Settings beforehand, or use the CAAdd command etc. to register a root certificate containing the signed server SSL certificate in the list of Virtual Hub trusted CA certificates. \nIf the certificate of the connected VPN Server cannot be trusted under the condition where the option to verify server certificates was enabled for the Cascade Connection, the connection will be promptly cancelled and continual reattempts at connection will be made. \nYou cannot execute this command for Virtual Hubs of VPN Servers operating as a cluster.
@ -6806,6 +6832,20 @@ CMD_AccountRetryOnServerCertDisable_Args AccountRetryOnServerCertDisable [name]
CMD_AccountRetryOnServerCertDisable_[name] Specify the name of the VPN Connection Setting whose setting you want to change.
# AccountDefaultCAEnable command
CMD_AccountDefaultCAEnable Enable Trust System Certificate Store Option
CMD_AccountDefaultCAEnable_Help When server certificate verification is enabled, use this to enable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing.
CMD_AccountDefaultCAEnable_Args AccountDefaultCAEnable [name]
CMD_AccountDefaultCAEnable_[name] Specify the name of the VPN Connection Setting whose setting you want to change.
# AccountDefaultCADisable command
CMD_AccountDefaultCADisable Disable Trust System Certificate Store Option
CMD_AccountDefaultCADisable_Help When server certificate verification is enabled, use this to disable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing.
CMD_AccountDefaultCADisable_Args AccountDefaultCADisable [name]
CMD_AccountDefaultCADisable_[name] Specify the name of the VPN Connection Setting whose setting you want to change.
# AccountServerCertSet command
CMD_AccountServerCertSet Set Server Individual Certificate for VPN Connection Setting
CMD_AccountServerCertSet_Help When a VPN Connection Setting registered on the VPN Client is specified and that VPN Connection Setting connects to a VPN Server, use this to register the same certificate as the SSL certificate provided by the destination VPN Server. \nIf the option to verify server certificates for VPN Connection Settings is enabled, you must either use this command to save the connection destination server SSL certificate beforehand in the VPN Connection Setting settings beforehand, or use the CAAdd command etc. to register a root certificate containing the signed server SSL certificate in the list of Virtual Hub trusted CA certificates. \nIf the certificate of the connected VPN Server cannot be trusted under the condition where the option to verify server certificates has been enabled for the VPN Connection Setting, the connection will be promptly cancelled and continual reattempts at connection will be made.

View File

@ -214,7 +214,10 @@ ERR_145 この操作は実行できません。VPN Gate 公開 VPN 中継サ
ERR_146 VPN Gate サービスが VPN Client 内で動作している場合は、この設定画面から VPN Gate サービスを停止することはできません。VPN Gate サービスを停止するには、VPN Client 接続マネージャの設定ツールを使用してください。
ERR_147 この機能はオープンソース版 SoftEther VPN にはまだ実装されていません。
ERR_148 Windows システムがサスペンド状態に移行中のため、VPN 通信が切断されました。
ERR_149 接続先サーバーの提示した証明書が指定したホスト名と一致しません。
ERR_150 両側でサポートされている TLS バージョンが見つかりませんでした。どちらかが相手側で無効になっている古い TLS バージョンを使用している可能性があります。
ERR_151 両側でサポートされている暗号化アルゴリズムが見つからなかったか、指定されたアルゴリズムがサーバー証明書と互換性がありません。
ERR_152 TLS ハンドシェイクが失敗しました。
# ライセンス関係
@ -840,6 +843,7 @@ CM_ST_NO_VLAN
CM_ST_USE_ENCRYPT 暗号化の使用
CM_ST_USE_ENCRYPT_TRUE はい (暗号化アルゴリズム: %S)
CM_ST_USE_ENCRYPT_TRUE2 はい
CM_ST_USE_ENCRYPT_TRUE3 はい (%S 暗号化アルゴリズム: %S)
CM_ST_USE_ENCRYPT_FALSE いいえ (暗号化なし)
CM_ST_USE_COMPRESS 圧縮の使用
CM_ST_UDP_ACCEL_ENABLED UDP 高速化機能をサポート
@ -1771,8 +1775,9 @@ LS_HUB_STOP 仮想 HUB "%S" を停止しました。
LS_HUB_MAC 仮想 HUB "%S" の MAC アドレスは "%S" です。
LS_NODE_INFO_TAG クライアント製品名 "%S", クライアントバージョン %u, クライアントビルド番号 %u, サーバー製品名 "%S", サーバーバージョン %u, サーバービルド番号 %u, クライアント OS 名 "%S", クライアント OS バージョン "%S", クライアントプロダクト ID "%S", クライアントホスト名 "%S", クライアント IP アドレス "%S", クライアントポート番号 %u, サーバーホスト名 "%S", サーバー IP アドレス "%S", サーバーポート番号 %u, プロキシホスト名 "%S", プロキシ IP アドレス "%S", プロキシポート番号 %u, 仮想 HUB 名 "%S", クライアントユニーク ID "%S"
LS_CONNECTION_START_1 クライアント (IP アドレス %S, ホスト名 "%S", ポート番号 %u) に対応するコネクション "%S" が作成されました。
LS_SSL_START_ERROR コネクション "%S" に対する SSL 通信を開始できませんでした。エラー: %s (コード %u)
LS_CONNECTION_END_1 コネクション "%S" が終了しました。
LS_SSL_START コネクション "%S" に対する SSL 通信が開始されました。暗号化アルゴリズム名は "%S" です。
LS_SSL_START コネクション "%S" に対する SSL 通信が開始されました。プロトコルバージョンは %S です。暗号化アルゴリズム名は "%S" です。
LS_CONNECTION_ERROR コネクション "%S" は理由 "%s" (コード %u) で終了しました。
LS_FARMMEMBER_NOT_ADMIN コネクション "%S": サーバーはクラスタメンバですが、クライアントは仮想 HUB "%S" に管理者ユーザー "%S" 以外で直接接続しようと試みました。クライアントが提示したユーザー名は "%S" です。アクセスは許可されません。
LS_HUB_NOT_FOUND コネクション "%S": クライアントが接続しようとした仮想 HUB "%S" はサーバー上に存在しません。
@ -1800,6 +1805,8 @@ LS_LICENSE_VIOLATION_DETECTED ライセンス違反を検出しました。別
LS_API_AUTH_OK HTTPS API クライアント "%r:%u" (%S): 管理モード: "%S" で組み込み HTTPS Web サーバーを用いてログインに成功しました。使用されたユーザー名: "%S", メソッド: "%S", パス: "%S"
LS_API_AUTH_ERROR HTTPS API クライアント "%r:%u" (%S): 組み込み HTTPS Web サーバーを用いてログインに失敗しました。使用されたユーザー名: "%S", メソッド: "%S", パス: "%S"
LS_API_RPC_CALL HTTPS API クライアント "%r:%u" (%S): JSON-API を呼び出しました。メソッド名: "%S", 結果エラーコード: %u (0 = 成功), 結果エラーメッセージ: "%s"
LS_AZURE_START クライアント (IP アドレス %S, ポート番号 %u) から VPN Azure 接続要求を受信しました。
LS_AZURE_SSL_ERROR VPN Azure リレーサーバーとの SSL 通信を開始できませんでした。エラー: %s (コード %u)
# (Proto ログ)
@ -2093,6 +2100,7 @@ LC_DELETE_ACCOUNT 接続設定 "%s" を削除しました。
LC_RENAME_ACCOUNT 接続設定 "%s" の名前を "%s" に変更しました。
LC_CONNECT 接続設定 "%s" への接続処理を開始しました。
LC_CONNECT_1 接続設定 "%s": %u 回目の接続動作を開始します。
LC_SSL_CONNECTED 接続設定 "%s": SSL 通信が開始されました。プロトコルバージョンは %S です。暗号化アルゴリズム名は "%S" です。
LC_CONNECT_2 接続設定 "%s": 接続が完了しました。セッション名: "%S"
LC_CONNECT_ERROR 接続設定 "%s": 接続が切断されたか、接続に失敗しました。理由: %s (コード %u)
LC_DISCONNECT 接続設定 "%s" を切断します。
@ -2330,6 +2338,7 @@ R_SOCKS5 SOCKS5 プロキシサーバー経由接続(&S)
B_PROXY_CONFIG プロキシサーバーの接続設定(&2)
STATIC11 サーバー証明書の検証オプション(&F):
R_CHECK_CERT サーバー証明書を必ず検証する(&3)
R_TRUST_DEFAULT システム証明書ストアを信頼する
B_TRUST 信頼する証明機関の証明書の管理(&4)
B_SERVER_CERT 固有証明書の登録(&R)
B_VIEW_SERVER_CERT 固有証明書の表示(&5)
@ -4403,6 +4412,7 @@ CMD_ACCOUNT_COLUMN_PROXY_USERNAME プロキシサーバーのユーザー名
CMD_ACCOUNT_COLUMN_SERVER_CERT_USE サーバー証明書の検証
CMD_ACCOUNT_COLUMN_SERVER_CERT_NAME 登録されているサーバー固有証明書
CMD_ACCOUNT_COLUMN_RETRY_ON_SERVER_CERT サーバー証明書が信頼できない場合に接続を再試行する
CMD_ACCOUNT_COLUMN_ADD_DEFAULT_CA システム証明書ストアを信頼する
CMD_ACCOUNT_COLUMN_DEVICE_NAME 接続に使用するデバイス名
CMD_ACCOUNT_COLUMN_AUTH_TYPE 認証の種類
CMD_ACCOUNT_COLUMN_AUTH_USERNAME ユーザー名
@ -5502,6 +5512,20 @@ CMD_CascadeServerCertDisable_Args CascadeServerCertDisable [name]
CMD_CascadeServerCertDisable_[name] 設定を変更するカスケード接続の名前を指定します。
# CascadeDefaultCAEnable コマンド
CMD_CascadeDefaultCAEnable システム証明書ストアからの証明書の信頼を有効化
CMD_CascadeDefaultCAEnable_Help サーバー証明書の検証が有効になっている場合、システム証明書ストアからの証明書の信頼を有効にします。\nサーバー証明書の検証が無効になっている場合、このオプションは何もしません。
CMD_CascadeDefaultCAEnable_Args CascadeDefaultCAEnable [name]
CMD_CascadeDefaultCAEnable_[name] 設定を変更するカスケード接続の名前を指定します。
# CascadeDefaultCADisable コマンド
CMD_CascadeDefaultCADisable システム証明書ストアからの証明書の信頼を無効化
CMD_CascadeDefaultCADisable_Help サーバー証明書の検証が有効になっている場合、システム証明書ストアからの証明書の信頼を無効にします。\nサーバー証明書の検証が無効になっている場合、このオプションは何もしません。
CMD_CascadeDefaultCADisable_Args CascadeDefaultCADisable [name]
CMD_CascadeDefaultCADisable_[name] 設定を変更するカスケード接続の名前を指定します。
# CascadeServerCertSet コマンド
CMD_CascadeServerCertSet カスケード接続のサーバー固有証明書の設定
CMD_CascadeServerCertSet_Help 現在管理している仮想 HUB に登録されているカスケード接続を指定し、そのカスケード接続が VPN Server に対して接続する際に、接続先の VPN Server の提示する SSL 証明書と同じ証明書をあらかじめ登録します。\nカスケード接続の、サーバー証明書の検証オプションが有効になっている場合、接続先サーバーの SSL 証明書を、あらかじめこのコマンドでカスケード接続設定内に保存しておくか、または仮想 HUB の信頼する証明機関の証明書一覧に、サーバーの SSL 証明書を署名したルート証明書を CAAdd コマンドなどで登録しておく必要があります。\nカスケード接続の、サーバー証明書の検証オプションが有効になっている状態で接続した VPN Server の証明書が信頼できない場合、直ちに接続を解除して再試行を繰り返します。\nこのコマンドは、クラスタとして動作している VPN Server の仮想 HUB では実行できません。
@ -6803,7 +6827,6 @@ CMD_AccountServerCertDisable_[name] 設定を変更する接続設定の名前
# AccountRetryOnServerCertEnable コマンド
CMD_AccountRetryOnServerCertEnable 接続設定のサーバー証明書が信頼できない場合の接続再試行を有効化
CMD_AccountRetryOnServerCertEnable_Help 接続設定のサーバー証明書の検証プションが有効になっている状態で、 VPN Server の証明書が信頼できない場合、直ちに接続を解除して再試行を繰り返します。AccountRetryOnServerCertDisableコマンドを使用することにより再試行を行わないように設定することができますが、このコマンドを使用することにより、デフォルトの接続再試行を行う状態に戻すことができます。
CMD_AccountRetryOnServerCertEnable_Args AccountRetryOnServerCertEnable [name]
CMD_AccountRetryOnServerCertEnable_[name] 設定を変更する接続設定の名前を指定します。
@ -6815,6 +6838,20 @@ CMD_AccountRetryOnServerCertDisable_Args AccountRetryOnServerCertDisable [name]
CMD_AccountRetryOnServerCertDisable_[name] 設定を変更する接続設定の名前を指定します。
# AccountDefaultCAEnable コマンド
CMD_AccountDefaultCAEnable システム証明書ストアからの証明書の信頼を有効化
CMD_AccountDefaultCAEnable_Help サーバー証明書の検証が有効になっている場合、システム証明書ストアからの証明書の信頼を有効にします。\nサーバー証明書の検証が無効になっている場合、このオプションは何もしません。
CMD_AccountDefaultCAEnable_Args AccountDefaultCAEnable [name]
CMD_AccountDefaultCAEnable_[name] 設定を変更する接続設定の名前を指定します。
# AccountDefaultCADisable コマンド
CMD_AccountDefaultCADisable システム証明書ストアからの証明書の信頼を無効化
CMD_AccountDefaultCADisable_Help サーバー証明書の検証が有効になっている場合、システム証明書ストアからの証明書の信頼を無効にします。\nサーバー証明書の検証が無効になっている場合、このオプションは何もしません。
CMD_AccountDefaultCADisable_Args AccountDefaultCADisable [name]
CMD_AccountDefaultCADisable_[name] 設定を変更する接続設定の名前を指定します。
# AccountServerCertSet コマンド
CMD_AccountServerCertSet 接続設定のサーバー固有証明書の設定
CMD_AccountServerCertSet_Help VPN Client に登録されている接続設定を指定し、その接続設定が VPN Server に対して接続する際に、接続先の VPN Server の提示する SSL 証明書と同じ証明書をあらかじめ登録します。\n接続設定のサーバー証明書の検証オプションが有効になっている場合、接続先サーバーの SSL 証明書をあらかじめこのコマンドで接続設定設定内に保存しておくか、または仮想 HUB の信頼する証明機関の証明書一覧に、サーバーの SSL 証明書を署名したルート証明書を CAAdd コマンドなどで登録しておく必要があります。\n接続設定のサーバー証明書の検証オプションが有効になっている状態で、接続した VPN Server の証明書が信頼できない場合、直ちに接続を解除して再試行を繰り返します。

View File

@ -218,7 +218,10 @@ ERR_145 이 작업을 수행 할 수 없습니다. VPN Gate 공개 VPN 중계
ERR_146 VPN Gate 서비스가 VPN Client에서 실행중인 경우이 설정 화면에서 VPN Gate 서비스를 중지 할 수 없습니다. VPN Gate 서비스를 중지하려면 VPN Client 연결 관리자 설정 도구를 사용하십시오.
ERR_147 이 기능은 오픈 소스 버전 SoftEther VPN은 아직 구현되어 있지 않습니다.
ERR_148 Windows 시스템이 대기 상태로 전환 중이기 때문에 VPN 통신이 끊어졌습니다.
ERR_149 대상 VPN 서버의 인증서가 지정된 호스트 이름과 일치하지 않습니다.
ERR_150 양쪽에서 지원되는 TLS 버전을 찾을 수 없습니다. 한 쪽은 다른 쪽에서 비활성화된 이전 TLS 버전을 사용하고 있을 수 있습니다.
ERR_151 양쪽에서 지원하는 사용 가능한 암호 알고리즘을 찾지 못했거나 지정된 알고리즘이 서버 인증서와 호환되지 않습니다.
ERR_152 TLS 핸드셰이크가 실패했습니다.
# 라이센스 관계
@ -841,6 +844,7 @@ CM_ST_NO_VLAN -
CM_ST_USE_ENCRYPT 암호화 사용
CM_ST_USE_ENCRYPT_TRUE 예 (암호화 알고리즘:%S)
CM_ST_USE_ENCRYPT_TRUE2 잔
CM_ST_USE_ENCRYPT_TRUE3 예 (%S 암호화 알고리즘:%S)
CM_ST_USE_ENCRYPT_FALSE 아니오 (암호화 없음)
CM_ST_USE_COMPRESS 압축 사용
CM_ST_UDP_ACCEL_ENABLED UDP 가속화 기능을 지원
@ -1752,8 +1756,9 @@ LS_HUB_STOP 가상 HUB "%S"를 중지했습니다.
LS_HUB_MAC 가상 HUB "%S"의 MAC 주소는 "%S"입니다.
LS_NODE_INFO_TAG 클라이언트 제품 이름 "%S"클라이언트 버전 %u 클라이언트 빌드 번호 %u 서버 제품 이름 "%S"서버 버전 %u 서버 빌드 번호 %u 클라이언트 OS 이름 "%S"클라이언트 OS 버전 "%S"클라이언트 제품 ID "%S"클라이언트 호스트 이름 "%S"클라이언트 IP 주소 "%S"클라이언트 포트 번호 %u 서버 호스트 이름 "%S"서버 IP 주소 "%S" 서버 포트 번호 %u 프록시 호스트 이름 "%S"프록시 IP 주소 "%S"프록시 포트 번호 %u 가상 HUB 이름 "%S"클라이언트 고유 ID "%S"
LS_CONNECTION_START_1 클라이언트 (IP 주소 %S 호스트 이름 "%S"포트 번호 %u)에 대응하는 연결 "%S"가 작성되었습니다.
LS_SSL_START_ERROR 연결 "%S"에 대한 SSL 통신을 시작하지 못했습니다. 오류:%s (코드 %u)
LS_CONNECTION_END_1 연결 "%S"가 종료되었습니다.
LS_SSL_START 연결 "%S"에 대한 SSL 통신이 시작되었습니다. 암호화 알고리즘 명은 "%S"입니다.
LS_SSL_START 연결 "%S"에 대한 SSL 통신이 시작되었습니다. 프로토콜 버전은 %S입니다. 암호화 알고리즘 명은 "%S"입니다.
LS_CONNECTION_ERROR 연결 "%S"는 이유로 "%s"(코드 %u)로 종료되었습니다.
LS_FARMMEMBER_NOT_ADMIN 연결 "%S": 서버는 클러스터 멤버이지만, 클라이언트는 가상 HUB "%S"관리자 사용자 "%S"이외로 직접 연결하려고 시도했습니다. 클라이언트가 제공 한 사용자 이름은 "%S"입니다. 액세스는 허용되지 않습니다.
LS_HUB_NOT_FOUND 연결 "%S": 클라이언트가 연결을 시도하는 가상 HUB "%S"는 서버에 존재하지 않습니다.
@ -1781,6 +1786,8 @@ LS_LICENSE_VIOLATION_DETECTED 라이센스 위반을 감지했습니다. 다른
LS_API_AUTH_OK HTTPS API client "%r:%u" (%S): Administration mode: "%S": The embedded HTTPS web server accepted the successful login. Username: "%S", Method: "%S", Path: "%S"
LS_API_AUTH_ERROR HTTPS API client "%r:%u" (%S): The embedded HTTPS web server refused a login attempt. Username: "%S", Method: "%S", Path: "%S"
LS_API_RPC_CALL HTTPS API client "%r:%u" (%S): The client called a JSON-API. Method: "%S", Returned error code: %u (0 = success), Returned error message: "%s"
LS_AZURE_START 클라이언트 (IP 주소 %S 포트 번호 %u)에서 VPN Azure 연결 요청을 받았습니다.
LS_AZURE_SSL_ERROR VPN Azure 릴레이 서버와 SSL 통신을 시작하지 못했습니다. 오류:%s (코드 %u)
# (Proto 로그)
@ -2071,6 +2078,7 @@ LC_DELETE_ACCOUNT 연결 설정 "%s"를 삭제했습니다.
LC_RENAME_ACCOUNT 연결 설정 "%s"의 이름을 "%s"로 변경했습니다.
LC_CONNECT 연결 설정 "%s"연결 처리를 시작했습니다.
LC_CONNECT_1 연결 설정 "%s": %u 번째 연결 동작을 시작합니다.
LC_SSL_CONNECTED 연결 설정 "%s": SSL 통신이 시작되었습니다. 프로토콜 버전은 %S입니다. 암호화 알고리즘 명은 "%S"입니다.
LC_CONNECT_2 연결 설정 "%s": 연결이 완료되었습니다. 세션 이름:"%S"
LC_CONNECT_ERROR 연결 설정 "%s": 연결이 끊어 졌는지 연결에 실패했습니다. 이유:%s (코드 %u)
LC_DISCONNECT 연결 설정 "%s"를 끊습니다.
@ -2308,6 +2316,7 @@ R_SOCKS5 SOCKS5 프록시 서버를 통해 연결 (&S)
B_PROXY_CONFIG 프록시 서버 연결 설정 (&2)
STATIC11 서버 인증서 검증 옵션 (&F):
R_CHECK_CERT 서버 인증서를 반드시 확인한다 (&3)
R_TRUST_DEFAULT 시스템 인증서 저장소 신뢰
B_TRUST 신뢰하는 인증 기관의 인증서 관리 (&4)
B_SERVER_CERT 고유 인증서 등록 (&R)
B_VIEW_SERVER_CERT 고유 인증서보기 (&5)
@ -4381,6 +4390,7 @@ CMD_ACCOUNT_COLUMN_PROXY_USERNAME 프록시 서버의 사용자 이름
CMD_ACCOUNT_COLUMN_SERVER_CERT_USE 서버 인증서 확인
CMD_ACCOUNT_COLUMN_SERVER_CERT_NAME 등록 된 서버 별 인증서
CMD_ACCOUNT_COLUMN_RETRY_ON_SERVER_CERT Retry on Untrusted Server Certificate
CMD_ACCOUNT_COLUMN_ADD_DEFAULT_CA 시스템 인증서 저장소 신뢰
CMD_ACCOUNT_COLUMN_DEVICE_NAME 연결에 사용할 장치 이름
CMD_ACCOUNT_COLUMN_AUTH_TYPE 인증의 종류
CMD_ACCOUNT_COLUMN_AUTH_USERNAME 사용자 이름
@ -5479,6 +5489,20 @@ CMD_CascadeServerCertDisable_Args CascadeServerCertDisable [name]
CMD_CascadeServerCertDisable_[name] 설정을 변경 계단식의 이름을 지정합니다.
# CascadeDefaultCAEnable command
CMD_CascadeDefaultCAEnable Enable Trust System Certificate Store Option
CMD_CascadeDefaultCAEnable_Help When server certificate verification is enabled, use this to enable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing.
CMD_CascadeDefaultCAEnable_Args CascadeDefaultCAEnable [name]
CMD_CascadeDefaultCAEnable_[name] Specify the name of the Cascade Connection whose setting you want to change.
# CascadeDefaultCADisable command
CMD_CascadeDefaultCADisable Disable Trust System Certificate Store Option
CMD_CascadeDefaultCADisable_Help When server certificate verification is enabled, use this to disable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing.
CMD_CascadeDefaultCADisable_Args CascadeDefaultCADisable [name]
CMD_CascadeDefaultCADisable_[name] Specify the name of the Cascade Connection whose setting you want to change.
# CascadeServerCertSet 명령
CMD_CascadeServerCertSet 계단식 서버 별 인증서 설정
CMD_CascadeServerCertSet_Help 현재 관리하고있는 가상 HUB에 등록되어있는 계단식 지정하고 계단식가 VPN Server에 연결할 때 연결하려는 VPN Server가 제시하는 SSL 인증서와 동일한 인증서를 미리 등록합니다. \n 계단식 서버 인증서 검증 옵션이 활성화되어있는 경우 연결할 서버의 SSL 인증서를 미리이 명령에서 계단식 설정에 저장할하거나 가상 HUB의 신뢰 인증 기관의 인증서 목록에 서버의 SSL 인증서를 서명 한 루트 인증서를 CAAdd 명령 등으로 등록되어 있어야합니다. \n 계단식 서버 인증서 검증 옵션이 활성화되어있는 상태에서 연결 한 VPN Server의 인증서를 신뢰할 수없는 경우 즉시 연결을 해제하고 재 시도를 반복합니다. \n이 명령은 클러스터로 작동하는 VPN Server의 가상 HUB에서는 실행되지 않습니다.
@ -6789,6 +6813,20 @@ CMD_AccountRetryOnServerCertDisable_Args AccountRetryOnServerCertDisable [name]
CMD_AccountRetryOnServerCertDisable_[name] Specify the name of the VPN Connection Setting whose setting you want to change.
# AccountDefaultCAEnable command
CMD_AccountDefaultCAEnable Enable Trust System Certificate Store Option
CMD_AccountDefaultCAEnable_Help When server certificate verification is enabled, use this to enable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing.
CMD_AccountDefaultCAEnable_Args AccountDefaultCAEnable [name]
CMD_AccountDefaultCAEnable_[name] Specify the name of the VPN Connection Setting whose setting you want to change.
# AccountDefaultCADisable command
CMD_AccountDefaultCADisable Disable Trust System Certificate Store Option
CMD_AccountDefaultCADisable_Help When server certificate verification is enabled, use this to disable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing.
CMD_AccountDefaultCADisable_Args AccountDefaultCADisable [name]
CMD_AccountDefaultCADisable_[name] Specify the name of the VPN Connection Setting whose setting you want to change.
# AccountServerCertSet 명령
CMD_AccountServerCertSet 연결 설정 서버 별 인증서 설정
CMD_AccountServerCertSet_Help VPN Client에 등록되어있는 연결 설정을 지정하고 연결 설정 VPN Server에 연결할 때 연결하려는 VPN Server가 제시하는 SSL 인증서와 동일한 인증서를 미리 등록합니다. \n 연결 설정 서버 인증서 검증 옵션이 활성화되어있는 경우 연결할 서버의 SSL 인증서를 미리이 명령에서 연결 설정 설정에 저장할하거나 가상 HUB 신뢰하는 인증 기관 인증서 목록에 서버의 SSL 인증서를 서명 한 루트 인증서를 CAAdd 명령 등으로 등록되어 있어야합니다. \n 연결 설정 서버 인증서 검증 옵션이 활성화되어있는 상태에서 연결 한 VPN Server의 인증서를 신뢰할 수없는 경우 즉시 연결을 해제하고 재 시도를 반복합니다.

View File

@ -231,6 +231,10 @@ ERR_145 Unacceptable operation. Use the VPN Gate Utility to modify the connectio
ERR_146 The VPN Gate Service is running inside the VPN Client program. You cannot stop the VPN Gate Service on this screen. Use the VPN Client Manager to enable or disable the VPN Gate Service.
ERR_147 This feature is not supported. It hasn't been implemented yet on the open-source version of SoftEther VPN.
ERR_148 The VPN connection was disconnected because the system is being suspended.
ERR_149 The destination VPN Server's certificate does not match the specified hostname.
ERR_150 Failed to find the TLS version that is supported by both sides. This usually means that one side may be using an obsolete TLS version which is diabled by the other side.
ERR_151 Failed to find an available cipher that is supported by both sides, or the cipher specified is not compatible with the server certificate.
ERR_152 TLS handshake has failed.
# Concerning licenses
@ -857,6 +861,7 @@ CM_ST_NO_VLAN -
CM_ST_USE_ENCRYPT Criptografia
CM_ST_USE_ENCRYPT_TRUE Enabled (Algorithm: %S)
CM_ST_USE_ENCRYPT_TRUE2 Ativado
CM_ST_USE_ENCRYPT_TRUE3 Enabled (%S Algorithm: %S)
CM_ST_USE_ENCRYPT_FALSE Disabled (No Encryption)
CM_ST_USE_COMPRESS Use of Compression
CM_ST_UDP_ACCEL_ENABLED UDP Acceleration is Supported
@ -1767,8 +1772,9 @@ LS_HUB_STOP Virtual Hub "%S" has been stopped.
LS_HUB_MAC The MAC address of Virtual Hub "%S" is "%S".
LS_NODE_INFO_TAG Client product name: "%S", Client version: %u, Client build number: %u, Server product name: "%S", Server version: %u, Server build number: %u, Client OS name: "%S", Client OS version: "%S", Client product ID: "%S", Client host name: "%S", Client IP address: "%S", Client port number: %u, Server host name: "%S", Server IP address: "%S", Server port number: %u, Proxy host name: "%S", Proxy IP address: "%S", Proxy port number: %u, Virtual Hub name: "%S", Client unique ID: "%S"
LS_CONNECTION_START_1 For the client (IP address: %S, host name: "%S", port number: %u), connection "%S" has been created.
LS_SSL_START_ERROR Failed to start SSL communication for connection "%S". Error: %s (code %u)
LS_CONNECTION_END_1 Connection "%S" has been terminated.
LS_SSL_START SSL communication for connection "%S" has been started. The encryption algorithm name is "%S".
LS_SSL_START SSL communication for connection "%S" has been started. The protocol version is %S. The encryption algorithm name is "%S".
LS_CONNECTION_ERROR Connection "%S" terminated by the cause "%s" (code %u).
LS_FARMMEMBER_NOT_ADMIN Connection "%S": Although the server is a cluster member, the client attempted that to directly connect to the Virtual Hub "%S" while not being administrator user "%S". The user name provided by the client is "%S". Access is refused.
LS_HUB_NOT_FOUND Connection "%S": Virtual Hub "%S" that the client is trying to connect to does not exist on the server.
@ -1796,6 +1802,8 @@ LS_LICENSE_VIOLATION_DETECTED A license violation has been detected. A different
LS_API_AUTH_OK HTTPS API client "%r:%u" (%S): Administration mode: "%S": The embedded HTTPS web server accepted the successful login. Username: "%S", Method: "%S", Path: "%S"
LS_API_AUTH_ERROR HTTPS API client "%r:%u" (%S): The embedded HTTPS web server refused a login attempt. Username: "%S", Method: "%S", Path: "%S"
LS_API_RPC_CALL HTTPS API client "%r:%u" (%S): The client called a JSON-API. Method: "%S", Returned error code: %u (0 = success), Returned error message: "%s"
LS_AZURE_START Received VPN Azure connection request from the client (IP address: %S, port number: %u).
LS_AZURE_SSL_ERROR Failed to start SSL communication with VPN Azure relay server. Error: %s (code %u)
# (Proto log)
@ -2090,6 +2098,7 @@ LC_DELETE_ACCOUNT The VPN Connection Setting "%s" has been deleted.
LC_RENAME_ACCOUNT The name of VPN Connection Setting "%s" has been changed to "%s".
LC_CONNECT Connection processing for VPN Connection Setting "%s" has started.
LC_CONNECT_1 VPN Connection Setting "%s": Connection operation starting (this is now %u times).
LC_SSL_CONNECTED VPN Connection Setting "%s": SSL communication has been started. The protocol version is %S. The encryption algorithm name is "%S".
LC_CONNECT_2 VPN Connection Setting "%s": Now connected. Session name: "%S"
LC_CONNECT_ERROR VPN Connection Setting "%s": The connection has been either disconnected or it failed. Cause: %s (code %u)
LC_DISCONNECT Disconnecting the VPN Connection Setting "%s".
@ -2301,6 +2310,7 @@ R_SOCKS5 Conectar via servidor proxy &SOCKS5
B_PROXY_CONFIG Configuração do servidor &proxy
STATIC11 Opção de verificação do certificado do servidor:
R_CHECK_CERT Sempre verificar o certificado do servidor
R_TRUST_DEFAULT Confie no armazenamento de certificados do sistema
B_TRUST Gerenciar lista de &certificados CA confiáveis
B_SERVER_CERT Certificado &individual
B_VIEW_SERVER_CERT &Mostrar individual
@ -4114,6 +4124,7 @@ CMD_ACCOUNT_COLUMN_PROXY_USERNAME Proxy Server User Name
CMD_ACCOUNT_COLUMN_SERVER_CERT_USE Verify Server Certificate
CMD_ACCOUNT_COLUMN_SERVER_CERT_NAME Registered Server Individual Certificate
CMD_ACCOUNT_COLUMN_RETRY_ON_SERVER_CERT Retry on Untrusted Server Certificate
CMD_ACCOUNT_COLUMN_ADD_DEFAULT_CA Trust System Certificate Store
CMD_ACCOUNT_COLUMN_DEVICE_NAME Device Name Used for Connection
CMD_ACCOUNT_COLUMN_AUTH_TYPE Authentication Type
CMD_ACCOUNT_COLUMN_AUTH_USERNAME Nome de usuário
@ -5227,6 +5238,20 @@ CMD_CascadeServerCertDisable_Args CascadeServerCertDisable [name]
CMD_CascadeServerCertDisable_[name] Specify the name of the Cascade Connection whose setting you want to change.
# CascadeDefaultCAEnable command
CMD_CascadeDefaultCAEnable Enable Trust System Certificate Store Option
CMD_CascadeDefaultCAEnable_Help When server certificate verification is enabled, use this to enable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing.
CMD_CascadeDefaultCAEnable_Args CascadeDefaultCAEnable [name]
CMD_CascadeDefaultCAEnable_[name] Specify the name of the Cascade Connection whose setting you want to change.
# CascadeDefaultCADisable command
CMD_CascadeDefaultCADisable Disable Trust System Certificate Store Option
CMD_CascadeDefaultCADisable_Help When server certificate verification is enabled, use this to disable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing.
CMD_CascadeDefaultCADisable_Args CascadeDefaultCADisable [name]
CMD_CascadeDefaultCADisable_[name] Specify the name of the Cascade Connection whose setting you want to change.
# CascadeServerCertSet command
CMD_CascadeServerCertSet Set the Server Individual Certificate for Cascade Connection
CMD_CascadeServerCertSet_Help When a Cascade Connection registered on the currently managed Virtual Hub is specified and that Cascade Connection connects to a VPN Server, use this to register beforehand the same certificate as the SSL certificate provided by the destination VPN Server. \nIf the option to verify server certificates for Cascade Connections is enabled, you must either use this command to save the connection destination server SSL certificate beforehand in the Cascade Connection Settings beforehand, or use the CAAdd command etc. to register a root certificate containing the signed server SSL certificate in the list of Virtual Hub trusted CA certificates. \nIf the certificate of the connected VPN Server cannot be trusted under the condition where the option to verify server certificates was enabled for the Cascade Connection, the connection will be promptly cancelled and continual reattempts at connection will be made. \nYou cannot execute this command for Virtual Hubs of VPN Servers operating as a cluster.
@ -6541,6 +6566,20 @@ CMD_AccountRetryOnServerCertDisable_Args AccountRetryOnServerCertDisable [name]
CMD_AccountRetryOnServerCertDisable_[name] Specify the name of the VPN Connection Setting whose setting you want to change.
# AccountDefaultCAEnable command
CMD_AccountDefaultCAEnable Enable Trust System Certificate Store Option
CMD_AccountDefaultCAEnable_Help When server certificate verification is enabled, use this to enable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing.
CMD_AccountDefaultCAEnable_Args AccountDefaultCAEnable [name]
CMD_AccountDefaultCAEnable_[name] Specify the name of the VPN Connection Setting whose setting you want to change.
# AccountDefaultCADisable command
CMD_AccountDefaultCADisable Disable Trust System Certificate Store Option
CMD_AccountDefaultCADisable_Help When server certificate verification is enabled, use this to disable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing.
CMD_AccountDefaultCADisable_Args AccountDefaultCADisable [name]
CMD_AccountDefaultCADisable_[name] Specify the name of the VPN Connection Setting whose setting you want to change.
# AccountServerCertSet command
CMD_AccountServerCertSet Set Server Individual Certificate for VPN Connection Setting
CMD_AccountServerCertSet_Help When a VPN Connection Setting registered on the VPN Client is specified and that VPN Connection Setting connects to a VPN Server, use this to register the same certificate as the SSL certificate provided by the destination VPN Server. \nIf the option to verify server certificates for VPN Connection Settings is enabled, you must either use this command to save the connection destination server SSL certificate beforehand in the VPN Connection Setting settings beforehand, or use the CAAdd command etc. to register a root certificate containing the signed server SSL certificate in the list of Virtual Hub trusted CA certificates. \nIf the certificate of the connected VPN Server cannot be trusted under the condition where the option to verify server certificates has been enabled for the VPN Connection Setting, the connection will be promptly cancelled and continual reattempts at connection will be made.

View File

@ -212,6 +212,11 @@ ERR_145 Unacceptable operation. Use the VPN Gate Utility to modify the conne
ERR_146 The VPN Gate Service is running inside the VPN Client program. You cannot stop the VPN Gate Service on this screen. Use the VPN Client Manager to enable or disable the VPN Gate Service.
ERR_147 This feature is not supported. It hasn't been implemented yet on the open-source version of SoftEther VPN.
ERR_148 The VPN connection was disconnected because the system is being suspended.
ERR_149 The destination VPN Server's certificate does not match the specified hostname.
ERR_150 Failed to find the TLS version that is supported by both sides. This usually means that one side may be using an obsolete TLS version which is diabled by the other side.
ERR_151 Failed to find an available cipher that is supported by both sides, or the cipher specified is not compatible with the server certificate.
ERR_152 TLS handshake has failed.
# Concerning licenses
LICENSE_INFO_URL https://selinks.org/?new_license
@ -836,6 +841,7 @@ CM_ST_NO_VLAN -
CM_ST_USE_ENCRYPT Encryption
CM_ST_USE_ENCRYPT_TRUE Enabled (Algorithm: %S)
CM_ST_USE_ENCRYPT_TRUE2 Enabled
CM_ST_USE_ENCRYPT_TRUE3 Enabled (%S Algorithm: %S)
CM_ST_USE_ENCRYPT_FALSE Disabled (No Encryption)
CM_ST_USE_COMPRESS Use of Compression
CM_ST_UDP_ACCEL_ENABLED UDP Acceleration is Supported
@ -1766,8 +1772,9 @@ LS_HUB_STOP Virtual Hub "%S" has been stopped.
LS_HUB_MAC The MAC address of Virtual Hub "%S" is "%S".
LS_NODE_INFO_TAG Client product name: "%S", Client version: %u, Client build number: %u, Server product name: "%S", Server version: %u, Server build number: %u, Client OS name: "%S", Client OS version: "%S", Client product ID: "%S", Client host name: "%S", Client IP address: "%S", Client port number: %u, Server host name: "%S", Server IP address: "%S", Server port number: %u, Proxy host name: "%S", Proxy IP address: "%S", Proxy port number: %u, Virtual Hub name: "%S", Client unique ID: "%S"
LS_CONNECTION_START_1 For the client (IP address: %S, host name: "%S", port number: %u), connection "%S" has been created.
LS_SSL_START_ERROR Failed to start SSL communication for connection "%S". Error: %s (code %u)
LS_CONNECTION_END_1 Connection "%S" has been terminated.
LS_SSL_START SSL communication for connection "%S" has been started. The encryption algorithm name is "%S".
LS_SSL_START SSL communication for connection "%S" has been started. The protocol version is %S. The encryption algorithm name is "%S".
LS_CONNECTION_ERROR Connection "%S" terminated by the cause "%s" (code %u).
LS_FARMMEMBER_NOT_ADMIN Connection "%S": Although the server is a cluster member, the client attempted that to directly connect to the Virtual Hub "%S" while not being administrator user "%S". The user name provided by the client is "%S". Access is refused.
LS_HUB_NOT_FOUND Connection "%S": Virtual Hub "%S" that the client is trying to connect to does not exist on the server.
@ -1795,6 +1802,8 @@ LS_LICENSE_VIOLATION_DETECTED A license violation has been detected. A different
LS_API_AUTH_OK HTTPS API client "%r:%u" (%S): Administration mode: "%S": The embedded HTTPS web server accepted the successful login. Username: "%S", Method: "%S", Path: "%S"
LS_API_AUTH_ERROR HTTPS API client "%r:%u" (%S): The embedded HTTPS web server refused a login attempt. Username: "%S", Method: "%S", Path: "%S"
LS_API_RPC_CALL HTTPS API client "%r:%u" (%S): The client called a JSON-API. Method: "%S", Returned error code: %u (0 = success), Returned error message: "%s"
LS_AZURE_START Received VPN Azure connection request from the client (IP address: %S, port number: %u).
LS_AZURE_SSL_ERROR Failed to start SSL communication with VPN Azure relay server. Error: %s (code %u)
# (Proto log)
@ -2088,6 +2097,7 @@ LC_DELETE_ACCOUNT The VPN Connection Setting "%s" has been deleted.
LC_RENAME_ACCOUNT The name of VPN Connection Setting "%s" has been changed to "%s".
LC_CONNECT Connection processing for VPN Connection Setting "%s" has started.
LC_CONNECT_1 VPN Connection Setting "%s": Connection operation starting (this is now %u times).
LC_SSL_CONNECTED VPN Connection Setting "%s": SSL communication has been started. The protocol version is %S. The encryption algorithm name is "%S".
LC_CONNECT_2 VPN Connection Setting "%s": Now connected. Session name: "%S"
LC_CONNECT_ERROR VPN Connection Setting "%s": The connection has been either disconnected or it failed. Cause: %s (code %u)
LC_DISCONNECT Disconnecting the VPN Connection Setting "%s".
@ -2324,6 +2334,7 @@ R_SOCKS5 Connect via &SOCKS5 Proxy Server
B_PROXY_CONFIG P&roxy Server Setting
STATIC11 Server Certificate Veri&fication Option:
R_CHECK_CERT Always Verify Server &Certificate
R_TRUST_DEFAULT Trust System Certificate Store
B_TRUST Manage Trusted CA &Certificate List
B_SERVER_CERT &Specify Individual Cert
B_VIEW_SERVER_CERT Show Indi&vidual Cert
@ -4397,6 +4408,7 @@ CMD_ACCOUNT_COLUMN_PROXY_PORT Proxy Server Port Number
CMD_ACCOUNT_COLUMN_PROXY_USERNAME Proxy Server User Name
CMD_ACCOUNT_COLUMN_SERVER_CERT_USE Verify Server Certificate
CMD_ACCOUNT_COLUMN_SERVER_CERT_NAME Registered Server Individual Certificate
CMD_ACCOUNT_COLUMN_ADD_DEFAULT_CA Trust System Certificate Store
CMD_ACCOUNT_COLUMN_DEVICE_NAME Device Name Used for Connection
CMD_ACCOUNT_COLUMN_AUTH_TYPE Authentication Type
CMD_ACCOUNT_COLUMN_AUTH_USERNAME User Name
@ -5499,6 +5511,20 @@ CMD_CascadeServerCertDisable_Args CascadeServerCertDisable [name]
CMD_CascadeServerCertDisable_[name] Specify the name of the Cascade Connection whose setting you want to change.
# CascadeDefaultCAEnable command
CMD_CascadeDefaultCAEnable Enable Trust System Certificate Store Option
CMD_CascadeDefaultCAEnable_Help When server certificate verification is enabled, use this to enable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing.
CMD_CascadeDefaultCAEnable_Args CascadeDefaultCAEnable [name]
CMD_CascadeDefaultCAEnable_[name] Specify the name of the Cascade Connection whose setting you want to change.
# CascadeDefaultCADisable command
CMD_CascadeDefaultCADisable Disable Trust System Certificate Store Option
CMD_CascadeDefaultCADisable_Help When server certificate verification is enabled, use this to disable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing.
CMD_CascadeDefaultCADisable_Args CascadeDefaultCADisable [name]
CMD_CascadeDefaultCADisable_[name] Specify the name of the Cascade Connection whose setting you want to change.
# CascadeServerCertSet command
CMD_CascadeServerCertSet Set the Server Individual Certificate for Cascade Connection
CMD_CascadeServerCertSet_Help When a Cascade Connection registered on the currently managed Virtual Hub is specified and that Cascade Connection connects to a VPN Server, use this to register beforehand the same certificate as the SSL certificate provided by the destination VPN Server. \nIf the option to verify server certificates for Cascade Connections is enabled, you must either use this command to save the connection destination server SSL certificate beforehand in the Cascade Connection Settings beforehand, or use the CAAdd command etc. to register a root certificate containing the signed server SSL certificate in the list of Virtual Hub trusted CA certificates. \nIf the certificate of the connected VPN Server cannot be trusted under the condition where the option to verify server certificates was enabled for the Cascade Connection, the connection will be promptly cancelled and continual reattempts at connection will be made. \nYou cannot execute this command for Virtual Hubs of VPN Servers operating as a cluster.
@ -6792,6 +6818,20 @@ CMD_AccountServerCertDisable_Args AccountServerCertDisable [name]
CMD_AccountServerCertDisable_[name] Specify the name of the VPN Connection Setting whose setting you want to change.
# AccountDefaultCAEnable command
CMD_AccountDefaultCAEnable Enable Trust System Certificate Store Option
CMD_AccountDefaultCAEnable_Help When server certificate verification is enabled, use this to enable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing.
CMD_AccountDefaultCAEnable_Args AccountDefaultCAEnable [name]
CMD_AccountDefaultCAEnable_[name] Specify the name of the VPN Connection Setting whose setting you want to change.
# AccountDefaultCADisable command
CMD_AccountDefaultCADisable Disable Trust System Certificate Store Option
CMD_AccountDefaultCADisable_Help When server certificate verification is enabled, use this to disable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing.
CMD_AccountDefaultCADisable_Args AccountDefaultCADisable [name]
CMD_AccountDefaultCADisable_[name] Specify the name of the VPN Connection Setting whose setting you want to change.
# AccountServerCertSet command
CMD_AccountServerCertSet Set Server Individual Certificate for VPN Connection Setting
CMD_AccountServerCertSet_Help When a VPN Connection Setting registered on the VPN Client is specified and that VPN Connection Setting connects to a VPN Server, use this to register the same certificate as the SSL certificate provided by the destination VPN Server. \nIf the option to verify server certificates for VPN Connection Settings is enabled, you must either use this command to save the connection destination server SSL certificate beforehand in the VPN Connection Setting settings beforehand, or use the CAAdd command etc. to register a root certificate containing the signed server SSL certificate in the list of Virtual Hub trusted CA certificates. \nIf the certificate of the connected VPN Server cannot be trusted under the condition where the option to verify server certificates has been enabled for the VPN Connection Setting, the connection will be promptly cancelled and continual reattempts at connection will be made.

View File

@ -218,6 +218,10 @@ ERR_145 不可接受的操作。使用 VPN Gate 實用工具修改 VPN Gate
ERR_146 VPN Gate 服務運行在 VPN 用戶端程式內。在此螢幕上,你不能停止 VPN Gate 服務。使用 VPN 用戶端管理器來啟用或禁用 VPN Gate 服務。
ERR_147 不支援此功能。它尚未在 SoftEther VPN 的開源版本上實施。
ERR_148 VPN 連接被中斷,因為該系統被暫停。
ERR_149 目標 VPN Server 的證書與指定的主機名稱不匹配。
ERR_150 找不到連接雙方都支持的 TLS 版本。這通常意味著一方可能正在使用已被另一方禁用的過時的 TLS 版本。
ERR_151 找不到連接雙方都支持的加密演算法,或者指定的演算法與伺服器憑證不相容。
ERR_152 TLS 握手失敗。
#關於許可證
@ -845,6 +849,7 @@ CM_ST_NO_VLAN
CM_ST_USE_ENCRYPT 加密
CM_ST_USE_ENCRYPT_TRUE 已啟用 (演算法: %S)
CM_ST_USE_ENCRYPT_TRUE2 已啟用
CM_ST_USE_ENCRYPT_TRUE3 已啟用 (%S 演算法: %S)
CM_ST_USE_ENCRYPT_FALSE 已禁用 (不加密)
CM_ST_USE_COMPRESS 使用壓縮
CM_ST_UDP_ACCEL_ENABLED 支援 UDP 加速
@ -1784,8 +1789,9 @@ LS_HUB_STOP 虛擬 HUB "%S" 已關閉。
LS_HUB_MAC 虛擬 HUB "%S" 的 MAC 位址是 "%S"。
LS_NODE_INFO_TAG 用戶端產品名:"%S",用戶端版本:%u用戶端構建號%u服務端產品名"%S",服務端版本:%u服務端構建號%u用戶端作業系統名"%S",用戶端作業系統版本:"%S",用戶端產品 ID"%S",用戶端主機名稱:"%S",用戶端 IP 地址:"%S",用戶端埠號:%u服務端主機名稱"%S",服務端 IP 位址:"%S",服務端埠號:%u代理主機名稱"%S",代理 IP 位址:"%S",代理埠號:%u虛擬 HUB 名:"%S",用戶端唯一 ID "%S"
LS_CONNECTION_START_1 用戶端 (IP 地址:%S主機名稱"%S",埠號:%u) 的連接 "%S" 已建立。
LS_SSL_START_ERROR 無法啟動連接 "%S" 的 SSL 通信。錯誤: %s (代碼 %u)
LS_CONNECTION_END_1 連接 "%S" 已結束。
LS_SSL_START 連接 "%S" 的 SSL 通信已啟動。加密演算法名為 "%S"。
LS_SSL_START 連接 "%S" 的 SSL 通信已啟動。協議版本是 %S。加密演算法名為 "%S"。
LS_CONNECTION_ERROR 連接 "%S"因原因 "%s" (代碼 %u)已終止。
LS_FARMMEMBER_NOT_ADMIN 連接 "%S": 服務端是群集成員,但用戶端在非管理員 (%S) 使用者情況下,嘗試直接與虛擬 HUB "%S" 連接。用戶端用戶名為 "%S"。訪問被拒絕。
LS_HUB_NOT_FOUND 連接 "%S": 客戶端正在嘗試連接的虛擬 HUB "%S" 在服務端上不存在。
@ -1813,6 +1819,8 @@ LS_LICENSE_VIOLATION_DETECTED 發現許可證違反錯誤,一個不同的 VPN
LS_API_AUTH_OK HTTPS API client "%r:%u" (%S): Administration mode: "%S": The embedded HTTPS web server accepted the successful login. Username: "%S", Method: "%S", Path: "%S"
LS_API_AUTH_ERROR HTTPS API client "%r:%u" (%S): The embedded HTTPS web server refused a login attempt. Username: "%S", Method: "%S", Path: "%S"
LS_API_RPC_CALL HTTPS API client "%r:%u" (%S): The client called a JSON-API. Method: "%S", Returned error code: %u (0 = success), Returned error message: "%s"
LS_AZURE_START 收到來自客戶端 (IP 地址:%S埠號%u) 的 VPN Azure 連接請求。
LS_AZURE_SSL_ERROR 無法啟動與 VPN Azure 中繼伺服器的 SSL 通信。錯誤: %s (代碼 %u)
# (Proto 日誌)
@ -2107,6 +2115,7 @@ LC_DELETE_ACCOUNT 已刪除 VPN 連接設置 "%s"。
LC_RENAME_ACCOUNT 已變更 VPN 連接設置名 "%s" 為 "%s"。
LC_CONNECT 已開始 VPN 連接設置 "%s" 的連接處理。
LC_CONNECT_1 VPN 連接設置 "%s": 第 %u 次連接操作開始。
LC_SSL_CONNECTED VPN 連接設置 "%s": SSL 通信已啟動。協議版本是 %S。加密演算法名為 "%S"。
LC_CONNECT_2 VPN 連接設置 "%s": 連接完成。會話名: "%S"。
LC_CONNECT_ERROR VPN 連接設置 "%s": 連接斷開或連接失敗。原因: %s (代碼 %u)
LC_DISCONNECT VPN 連接設置 "%s" 斷開中。
@ -2343,6 +2352,7 @@ R_SOCKS5 通過 SOCKS5 代理伺服器連接(&S)
B_PROXY_CONFIG 代理伺服器設置(&R)
STATIC11 服務端證書驗證選項(&F):
R_CHECK_CERT 總是驗證服務端證書(&C)
R_TRUST_DEFAULT 信任系統憑證存放區
B_TRUST 管理可信發證機關證書列表(&C)
B_SERVER_CERT 指定特定證書(&S)
B_VIEW_SERVER_CERT 查看特定證書(&V)
@ -4412,7 +4422,8 @@ CMD_ACCOUNT_COLUMN_PROXY_PORT 代理伺服器的埠號
CMD_ACCOUNT_COLUMN_PROXY_USERNAME 代理伺服器的用戶名
CMD_ACCOUNT_COLUMN_SERVER_CERT_USE 驗證伺服器憑證
CMD_ACCOUNT_COLUMN_SERVER_CERT_NAME 註冊的伺服器個人證書
CMD_ACCOUNT_COLUMN_RETRY_ON_SERVER_CERT Retry on Untrusted Server Certificate
CMD_ACCOUNT_COLUMN_RETRY_ON_SERVER_CERT 遇到不信任的證書時重試
CMD_ACCOUNT_COLUMN_ADD_DEFAULT_CA 信任系統憑證存放區
CMD_ACCOUNT_COLUMN_DEVICE_NAME 用於連接的設備名
CMD_ACCOUNT_COLUMN_AUTH_TYPE 驗證類型
CMD_ACCOUNT_COLUMN_AUTH_USERNAME 用戶名
@ -4427,7 +4438,7 @@ CMD_ACCOUNT_COLUMN_BRIDGE_ROUTER 通過橋接器 / 路由模式連接
CMD_ACCOUNT_COLUMN_MONITOR 通過監測模式連接
CMD_ACCOUNT_COLUMN_NO_TRACKING 不要調整路由表
CMD_ACCOUNT_COLUMN_QOS_DISABLE 不要使用 QoS 控制功能
CMD_ACCOUNT_COLUMN_DISABLEUDP Disable UDP Acceleration
CMD_ACCOUNT_COLUMN_DISABLEUDP 禁用 UDP 加速功能
# Debugging Information Collecting Tool
@ -5515,6 +5526,20 @@ CMD_CascadeServerCertDisable_Args CascadeServerCertDisable [name]
CMD_CascadeServerCertDisable_[name] 指定級聯名稱來改變設置。
# CascadeDefaultCAEnable 命令
CMD_CascadeDefaultCAEnable 啟用信任系統憑證存放區選項
CMD_CascadeDefaultCAEnable_Help 當啟用服務器憑證驗證時,使用此選項來啟用信任系統憑證存放區的證書。\n如果禁用服務器憑證驗證則此選項不執行任何操作。
CMD_CascadeDefaultCAEnable_Args CascadeDefaultCAEnable [name]
CMD_CascadeDefaultCAEnable_[name] 指定級聯名稱來改變設置。
# CascadeDefaultCADisable 命令
CMD_CascadeDefaultCADisable 禁用信任系統憑證存放區選項
CMD_CascadeDefaultCADisable_Help 當啟用服務器憑證驗證時,使用此選項來禁用信任系統憑證存放區的證書。\n如果禁用服務器憑證驗證則此選項不執行任何操作。
CMD_CascadeDefaultCADisable_Args CascadeDefaultCADisable [name]
CMD_CascadeDefaultCADisable_[name] 指定級聯名稱來改變設置。
# CascadeServerCertSet 命令
CMD_CascadeServerCertSet 設置級聯連接的伺服器特定證書
CMD_CascadeServerCertSet_Help 指定已經在當前虛擬 HUB 註冊的級聯連接,當此連接和 VPN Server 之間通信時,事先將連接方提供的 SSL 證書註冊。\n如果啟用此選項需要將在目標伺服器的證書事先通過指令設置到級聯的連接設置中或者在虛擬 HUB 的可信任證書清單中,運行 CAAdd 指令,將有伺服器的 SSL 證書署名的路線證書添加進去。\n當啟用伺服器憑證驗證選項時如果 VPN Server 提供的證書不可信,連接將斷開,並重試。\n此命令在集群虛擬 HUB 中不能運行。
@ -6820,6 +6845,20 @@ CMD_AccountRetryOnServerCertDisable_Args AccountRetryOnServerCertDisable [name]
CMD_AccountRetryOnServerCertDisable_[name] Specify the name of the VPN Connection Setting whose setting you want to change.
# AccountDefaultCAEnable 命令
CMD_AccountDefaultCAEnable 啟用信任系統憑證存放區選項
CMD_AccountDefaultCAEnable_Help 當啟用服務器憑證驗證時,使用此選項來啟用信任系統憑證存放區的證書。\n如果禁用服務器憑證驗證則此選項不執行任何操作。
CMD_AccountDefaultCAEnable_Args AccountDefaultCAEnable [name]
CMD_AccountDefaultCAEnable_[name] 指定要更改設置的連接設置名。
# AccountDefaultCADisable 命令
CMD_AccountDefaultCADisable 禁用信任系統憑證存放區選項
CMD_AccountDefaultCADisable_Help 當啟用服務器憑證驗證時,使用此選項來禁用信任系統憑證存放區的證書。\n如果禁用服務器憑證驗證則此選項不執行任何操作。
CMD_AccountDefaultCADisable_Args AccountDefaultCADisable [name]
CMD_AccountDefaultCADisable_[name] 指定要更改設置的連接設置名。
# AccountServerCertSet 命令
CMD_AccountServerCertSet 設置連接設置的伺服器固有證明書
CMD_AccountServerCertSet_Help 指定註冊到 VPN Client 的連接設置,其連接設置連接到 VPN Server 時,預先註冊與連接目標的 VPN Server 提交的 SSL 證書相同的證書。\n如果啟動了連接設置的伺服器憑證驗證選項可以預先將連接目標伺服器的 SSL 證書以此指令保存在連接設置的設置內,或需要將伺服器的 SSL 證書簽名了的根證書,以 CAAdd 指令註冊到虛擬 HUB 信任的證明機構的證書列表中。\n驗證連接設置的伺服器憑證的選項處於啟動狀態連接了的 VPN Server 的證書不可信時,立即解除連接,反復重試。