AMajor/SoftEtherVPN
1
0
Fork 0
mirror of https://github.com/SoftEtherVPN/SoftEtherVPN.git synced 2024-09-13 07:13:00 +03:00
Code Releases Activity

Implement complete server certificate verification

Browse Source
This commit is contained in:
Yihong Wu 2021-12-17 17:57:23 +08:00
parent 1c1560f6ca
commit f94ac6351e
30 changed files with 868 additions and 411 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/Cedar/Admin.c
View File

@ -7350,6 +7350,7 @@ UINT StGetLink(ADMIN *a, RPC_CREATE_LINK *t)
Copy(&t->Policy, k->Policy, sizeof(POLICY));
t->CheckServerCert = k->CheckServerCert;
t->AddDefaultCA = k->AddDefaultCA;
t->ServerCert = CloneX(k->ServerCert);
}
Unlock(k->lock);
@ -7465,6 +7466,7 @@ UINT StSetLink(ADMIN *a, RPC_CREATE_LINK *t)
k->Option->RequireMonitorMode = false; // Disable monitor mode
k->CheckServerCert = t->CheckServerCert;
k->AddDefaultCA = t->AddDefaultCA;
k->ServerCert = CloneX(t->ServerCert);
}
Unlock(k->lock);
@ -7561,6 +7563,7 @@ UINT StCreateLink(ADMIN *a, RPC_CREATE_LINK *t)
// setting of verifying server certification
//
k->CheckServerCert = t->CheckServerCert;
k->AddDefaultCA = t->AddDefaultCA;
k->ServerCert = CloneX(t->ServerCert);
// stay this off-line
@ -13635,6 +13638,7 @@ void InRpcCreateLink(RPC_CREATE_LINK *t, PACK *p)
InRpcPolicy(&t->Policy, p);
t->CheckServerCert = PackGetBool(p, "CheckServerCert");
t->AddDefaultCA = PackGetBool(p, "AddDefaultCA");
b = PackGetBuf(p, "ServerCert");
if (b != NULL)
{
@ -13657,6 +13661,7 @@ void OutRpcCreateLink(PACK *p, RPC_CREATE_LINK *t)
OutRpcPolicy(p, &t->Policy);
PackAddBool(p, "CheckServerCert", t->CheckServerCert);
PackAddBool(p, "AddDefaultCA", t->AddDefaultCA);
if (t->ServerCert != NULL)
{
BUF *b;

1
src/Cedar/Admin.h
View File

@ -436,6 +436,7 @@ struct RPC_CREATE_LINK
CLIENT_AUTH *ClientAuth; // Client authentication data
POLICY Policy; // Policy
bool CheckServerCert; // Validate the server certificate
bool AddDefaultCA; // Use default trust store
X *ServerCert; // Server certificate
};

16
src/Cedar/CM.c
View File

@ -6022,6 +6022,7 @@ void CmExportAccount(HWND hWnd, wchar_t *account_name)
t.StartupAccount = a->Startup;
t.CheckServerCert = a->CheckServerCert;
t.RetryOnServerCert = a->RetryOnServerCert;
t.AddDefaultCA = a->AddDefaultCA;
t.ServerCert = a->ServerCert;
t.ClientOption->FromAdminPack = false;
@ -6161,6 +6162,7 @@ void CmImportAccountMainEx(HWND hWnd, wchar_t *filename, bool overwrite)
t->StartupAccount = get.StartupAccount;
t->CheckServerCert = get.CheckServerCert;
t->RetryOnServerCert = get.RetryOnServerCert;
t->AddDefaultCA = get.AddDefaultCA;
if (t->ServerCert != NULL)
{
FreeX(t->ServerCert);
@ -6270,6 +6272,7 @@ void CmCopyAccount(HWND hWnd, wchar_t *account_name)
}
c.CheckServerCert = a->CheckServerCert;
c.RetryOnServerCert = a->RetryOnServerCert;
c.AddDefaultCA = a->AddDefaultCA;
c.StartupAccount = false; // Don't copy the startup attribute
CALL(hWnd, CcCreateAccount(cm->Client, &c));
@ -6686,9 +6689,13 @@ void CmEditAccountDlgUpdate(HWND hWnd, CM_ACCOUNT *a)
// To validate the server certificate
a->CheckServerCert = IsChecked(hWnd, R_CHECK_CERT);
// Trust default CA list
a->AddDefaultCA = IsChecked(hWnd, R_TRUST_DEFAULT);
if (a->NatMode)
{
Disable(hWnd, R_CHECK_CERT);
Disable(hWnd, R_TRUST_DEFAULT);
Disable(hWnd, B_TRUST);
}
@ -7031,6 +7038,7 @@ void CmEditAccountDlgUpdate(HWND hWnd, CM_ACCOUNT *a)
SetEnable(hWnd, S_STATIC7, false);
SetEnable(hWnd, S_STATIC11, false);
SetEnable(hWnd, R_CHECK_CERT, false);
SetEnable(hWnd, R_TRUST_DEFAULT, false);
SetEnable(hWnd, B_TRUST, false);
SetEnable(hWnd, B_SERVER_CERT, false);
SetEnable(hWnd, B_VIEW_SERVER_CERT, false);
@ -7132,6 +7140,9 @@ void CmEditAccountDlgInit(HWND hWnd, CM_ACCOUNT *a)
// Verify the server certificate
Check(hWnd, R_CHECK_CERT, a->CheckServerCert);
// Trust default CA list
Check(hWnd, R_TRUST_DEFAULT, a->AddDefaultCA);
// LAN card list
if (a->NatMode == false && a->LinkMode == false)
{
@ -7364,6 +7375,7 @@ UINT CmEditAccountDlgProc(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam, voi
case R_HTTPS:
case R_SOCKS:
case R_CHECK_CERT:
case R_TRUST_DEFAULT:
case C_TYPE:
case E_USERNAME:
case E_PASSWORD:
@ -8770,6 +8782,7 @@ void CmEditAccountDlgOnOk(HWND hWnd, CM_ACCOUNT *a)
Copy(c.ClientOption, a->ClientOption, sizeof(CLIENT_OPTION));
c.ClientAuth = CopyClientAuth(a->ClientAuth);
c.CheckServerCert = a->CheckServerCert;
c.AddDefaultCA = a->AddDefaultCA;
if (a->ServerCert != NULL)
{
c.ServerCert = CloneX(a->ServerCert);
@ -8823,6 +8836,7 @@ void CmEditAccountDlgOnOk(HWND hWnd, CM_ACCOUNT *a)
Copy(t.ClientOption, a->ClientOption, sizeof(CLIENT_OPTION));
t.ClientAuth = CopyClientAuth(a->ClientAuth);
t.CheckServerCert = a->CheckServerCert;
t.AddDefaultCA = a->AddDefaultCA;
t.ServerCert = CloneX(a->ServerCert);
// Save the settings for cascade connection
@ -9015,6 +9029,7 @@ CM_ACCOUNT *CmGetExistAccountObject(HWND hWnd, wchar_t *account_name)
a->EditMode = true;
a->CheckServerCert = c.CheckServerCert;
a->RetryOnServerCert = c.RetryOnServerCert;
a->AddDefaultCA = c.AddDefaultCA;
a->Startup = c.StartupAccount;
if (c.ServerCert != NULL)
{
@ -9045,6 +9060,7 @@ CM_ACCOUNT *CmCreateNewAccountObject(HWND hWnd)
a->EditMode = false;
a->CheckServerCert = false;
a->RetryOnServerCert = false;
a->AddDefaultCA = false;
a->Startup = false;
a->ClientOption = ZeroMalloc(sizeof(CLIENT_OPTION));

1
src/Cedar/CMInner.h
View File

@ -140,6 +140,7 @@ typedef struct CM_ACCOUNT
bool Startup; // Startup account
bool CheckServerCert; // Check the server certificate
bool RetryOnServerCert; // Retry on invalid server certificate
bool AddDefaultCA; // Use default trust store
X *ServerCert; // Server certificate
char old_server_name[MAX_HOST_NAME_LEN + 1]; // Old server name
bool Inited; // Initialization flag

1
src/Cedar/Cedar.h
View File

@ -869,6 +869,7 @@
#define ERR_VPNGATE_INCLIENT_CANT_STOP 146 // Can not be stopped if operating within VPN Client mode
#define ERR_NOT_SUPPORTED_FUNCTION_ON_OPENSOURCE 147 // It is a feature that is not supported in the open source version
#define ERR_SUSPENDING 148 // System is suspending
#define ERR_HOSTNAME_MISMATCH 149 // SSL hostname mismatch
////////////////////////////

17
src/Cedar/Client.c
View File

@ -1957,6 +1957,7 @@ RPC_CLIENT_CREATE_ACCOUNT *CiCfgToAccount(BUF *b)
t->StartupAccount = a->StartupAccount;
t->CheckServerCert = a->CheckServerCert;
t->RetryOnServerCert = a->RetryOnServerCert;
t->AddDefaultCA = a->AddDefaultCA;
t->ServerCert = a->ServerCert;
Free(a);
@ -1981,6 +1982,7 @@ BUF *CiAccountToCfg(RPC_CLIENT_CREATE_ACCOUNT *t)
a.ClientAuth = t->ClientAuth;
a.CheckServerCert = t->CheckServerCert;
a.RetryOnServerCert = t->RetryOnServerCert;
a.AddDefaultCA = t->AddDefaultCA;
a.ServerCert = t->ServerCert;
a.StartupAccount = t->StartupAccount;
@ -4542,6 +4544,7 @@ void InRpcClientCreateAccount(RPC_CLIENT_CREATE_ACCOUNT *c, PACK *p)
c->StartupAccount = PackGetInt(p, "StartupAccount") ? true : false;
c->CheckServerCert = PackGetInt(p, "CheckServerCert") ? true : false;
c->RetryOnServerCert = PackGetInt(p, "RetryOnServerCert") ? true : false;
c->AddDefaultCA = PackGetInt(p, "AddDefaultCA") ? true : false;
b = PackGetBuf(p, "ServerCert");
if (b != NULL)
{
@ -4565,6 +4568,7 @@ void OutRpcClientCreateAccount(PACK *p, RPC_CLIENT_CREATE_ACCOUNT *c)
PackAddInt(p, "StartupAccount", c->StartupAccount);
PackAddInt(p, "CheckServerCert", c->CheckServerCert);
PackAddInt(p, "RetryOnServerCert", c->RetryOnServerCert);
PackAddInt(p, "AddDefaultCA", c->AddDefaultCA);
if (c->ServerCert != NULL)
{
b = XToBuf(c->ServerCert, false);
@ -4715,6 +4719,7 @@ void InRpcClientGetAccount(RPC_CLIENT_GET_ACCOUNT *c, PACK *p)
c->StartupAccount = PackGetInt(p, "StartupAccount") ? true : false;
c->CheckServerCert = PackGetInt(p, "CheckServerCert") ? true : false;
c->RetryOnServerCert = PackGetInt(p, "RetryOnServerCert") ? true : false;
c->AddDefaultCA = PackGetInt(p, "AddDefaultCA") ? true : false;
b = PackGetBuf(p, "ServerCert");
if (b != NULL)
{
@ -4744,6 +4749,7 @@ void OutRpcClientGetAccount(PACK *p, RPC_CLIENT_GET_ACCOUNT *c)
PackAddInt(p, "StartupAccount", c->StartupAccount);
PackAddInt(p, "CheckServerCert", c->CheckServerCert);
PackAddInt(p, "RetryOnServerCert", c->RetryOnServerCert);
PackAddInt(p, "AddDefaultCA", c->AddDefaultCA);
if (c->ServerCert != NULL)
{
@ -6467,9 +6473,9 @@ bool CtConnect(CLIENT *c, RPC_CLIENT_CONNECT *connect)
// Register a procedure for secure device authentication
r->ClientAuth->SecureSignProc = CiSecureSignProc;
}
else if (r->ClientAuth->AuthType == CLIENT_AUTHTYPE_OPENSSLENGINE)
else if (r->ClientAuth->AuthType == CLIENT_AUTHTYPE_OPENSSLENGINE)
{
/* r->ClientAuth->ClientK = OpensslEngineToK("asdf"); */
/* r->ClientAuth->ClientK = OpensslEngineToK("asdf"); */
r->ClientAuth->SecureSignProc = NULL;
}
else
@ -6639,6 +6645,7 @@ bool CtGetAccount(CLIENT *c, RPC_CLIENT_GET_ACCOUNT *a)
a->CheckServerCert = r->CheckServerCert;
a->RetryOnServerCert = r->RetryOnServerCert;
a->AddDefaultCA = r->AddDefaultCA;
a->ServerCert = NULL;
if (r->ServerCert != NULL)
{
@ -7173,6 +7180,7 @@ bool CtSetAccount(CLIENT *c, RPC_CLIENT_CREATE_ACCOUNT *a, bool inner)
ret->CheckServerCert = a->CheckServerCert;
ret->RetryOnServerCert = a->RetryOnServerCert;
ret->AddDefaultCA = a->AddDefaultCA;
if (a->ServerCert != NULL)
{
@ -7272,6 +7280,7 @@ bool CtCreateAccount(CLIENT *c, RPC_CLIENT_CREATE_ACCOUNT *a, bool inner)
new_account->CheckServerCert = a->CheckServerCert;
new_account->RetryOnServerCert = a->RetryOnServerCert;
new_account->AddDefaultCA = a->AddDefaultCA;
if (a->ServerCert != NULL)
{
new_account->ServerCert = CloneX(a->ServerCert);
@ -9336,6 +9345,7 @@ ACCOUNT *CiLoadClientAccount(FOLDER *f)
a->StartupAccount = CfgGetBool(f, "StartupAccount");
a->CheckServerCert = CfgGetBool(f, "CheckServerCert");
a->RetryOnServerCert = CfgGetBool(f, "RetryOnServerCert");
a->AddDefaultCA = CfgGetBool(f, "AddDefaultCA");
a->CreateDateTime = CfgGetInt64(f, "CreateDateTime");
a->UpdateDateTime = CfgGetInt64(f, "UpdateDateTime");
a->LastConnectDateTime = CfgGetInt64(f, "LastConnectDateTime");
@ -9974,6 +9984,9 @@ void CiWriteAccountData(FOLDER *f, ACCOUNT *a)
// Retry on invalid server certificate flag
CfgAddBool(f, "RetryOnServerCert", a->RetryOnServerCert);
// Add default SSL trust store
CfgAddBool(f, "AddDefaultCA", a->AddDefaultCA);
// Date and time
CfgAddInt64(f, "CreateDateTime", a->CreateDateTime);
CfgAddInt64(f, "UpdateDateTime", a->UpdateDateTime);

3
src/Cedar/Client.h
View File

@ -61,6 +61,7 @@ struct ACCOUNT
CLIENT_AUTH *ClientAuth; // Client authentication data
bool CheckServerCert; // Check the server certificate
bool RetryOnServerCert; // Retry on invalid server certificate
bool AddDefaultCA; // Use default trust store
X *ServerCert; // Server certificate
bool StartupAccount; // Start-up account
UCHAR ShortcutKey[SHA1_SIZE]; // Key
@ -239,6 +240,7 @@ struct RPC_CLIENT_CREATE_ACCOUNT
bool StartupAccount; // Startup account
bool CheckServerCert; // Checking of the server certificate
bool RetryOnServerCert; // Retry on invalid server certificate
bool AddDefaultCA; // Use default trust store
X *ServerCert; // Server certificate
UCHAR ShortcutKey[SHA1_SIZE]; // Shortcut Key
};
@ -292,6 +294,7 @@ struct RPC_CLIENT_GET_ACCOUNT
bool StartupAccount; // Startup account
bool CheckServerCert; // Check the server certificate
bool RetryOnServerCert; // Retry on invalid server certificate
bool AddDefaultCA; // Use default trust store
X *ServerCert; // Server certificate
UCHAR ShortcutKey[SHA1_SIZE]; // Shortcut Key
UINT64 CreateDateTime; // Creation date and time (Ver 3.0 or later)

550
src/Cedar/Command.c
View File

@ -3109,6 +3109,8 @@ void PcMain(PC *pc)
{"AccountServerCertDisable", PcAccountServerCertDisable},
{"AccountRetryOnServerCertEnable", PcAccountRetryOnServerCertEnable},
{"AccountRetryOnServerCertDisable", PcAccountRetryOnServerCertDisable},
{"AccountDefaultCAEnable", PcAccountDefaultCAEnable},
{"AccountDefaultCADisable", PcAccountDefaultCADisable},
{"AccountServerCertSet", PcAccountServerCertSet},
{"AccountServerCertDelete", PcAccountServerCertDelete},
{"AccountServerCertGet", PcAccountServerCertGet},
@ -4293,6 +4295,26 @@ UINT PcAccountCreate(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
return ret;
}
// Setup a RPC_CLIENT_CREATE_ACCOUNT from a RPC_CLIENT_GET_ACCOUNT
void SetRpcClientCreateAccountFromGetAccount(RPC_CLIENT_CREATE_ACCOUNT *c, RPC_CLIENT_GET_ACCOUNT *t)
{
if (c == NULL || t == NULL)
{
return;
}
Zero(c, sizeof(RPC_CLIENT_CREATE_ACCOUNT));
// Copy reference
c->ClientAuth = t->ClientAuth;
c->ClientOption = t->ClientOption;
c->CheckServerCert = t->CheckServerCert;
c->RetryOnServerCert = t->RetryOnServerCert;
c->AddDefaultCA = t->AddDefaultCA;
c->ServerCert = t->ServerCert;
c->StartupAccount = t->StartupAccount;
}
// Set the destination of the connection settings
UINT PcAccountSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
{
@ -4336,14 +4358,7 @@ UINT PcAccountSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
t.ClientOption->HintStr[0] = 0;
StrCpy(t.ClientOption->HubName, sizeof(t.ClientOption->HubName), GetParamStr(o, "HUB"));
Zero(&c, sizeof(c));
c.ClientAuth = t.ClientAuth;
c.ClientOption = t.ClientOption;
c.CheckServerCert = t.CheckServerCert;
c.RetryOnServerCert = t.RetryOnServerCert;
c.ServerCert = t.ServerCert;
c.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&c, &t);
ret = CcSetAccount(pc->RemoteClient, &c);
}
@ -4456,6 +4471,8 @@ UINT PcAccountGet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
{
CtInsert(ct, _UU("CMD_ACCOUNT_COLUMN_RETRY_ON_SERVER_CERT"),
t.RetryOnServerCert ? _UU("CMD_MSG_ENABLE") : _UU("CMD_MSG_DISABLE"));
CtInsert(ct, _UU("CMD_ACCOUNT_COLUMN_ADD_DEFAULT_CA"),
t.AddDefaultCA ? _UU("CMD_MSG_ENABLE") : _UU("CMD_MSG_DISABLE"));
}
// Device name to be used for the connection
@ -4630,13 +4647,7 @@ UINT PcAccountUsernameSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
c->Write(c, _UU("CMD_AccountUsername_Notice"));
}
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -4688,13 +4699,7 @@ UINT PcAccountAnonymousSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param
// Change the settings
t.ClientAuth->AuthType = CLIENT_AUTHTYPE_ANONYMOUS;
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -4770,13 +4775,7 @@ UINT PcAccountPasswordSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
if (ret == ERR_NO_ERROR)
{
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -4849,13 +4848,7 @@ UINT PcAccountCertSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
t.ClientAuth->ClientX = CloneX(x);
t.ClientAuth->ClientK = CloneK(k);
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -4970,13 +4963,7 @@ UINT PcAccountEncryptDisable(CONSOLE *c, char *cmd_name, wchar_t *str, void *par
// Change the settings
t.ClientOption->UseEncrypt = false;
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -5028,13 +5015,7 @@ UINT PcAccountEncryptEnable(CONSOLE *c, char *cmd_name, wchar_t *str, void *para
// Change the settings
t.ClientOption->UseEncrypt = true;
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -5086,13 +5067,7 @@ UINT PcAccountCompressEnable(CONSOLE *c, char *cmd_name, wchar_t *str, void *par
// Change the settings
t.ClientOption->UseCompress = true;
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -5144,13 +5119,7 @@ UINT PcAccountCompressDisable(CONSOLE *c, char *cmd_name, wchar_t *str, void *pa
// Change the settings
t.ClientOption->UseCompress = false;
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -5225,13 +5194,7 @@ UINT PcAccountHttpHeaderAdd(CONSOLE *c, char *cmd_name, wchar_t *str, void *para
if ((StrLen(s) + StrLen(t.ClientOption->CustomHttpHeader)) < sizeof(t.ClientOption->CustomHttpHeader)) {
StrCat(t.ClientOption->CustomHttpHeader, sizeof(s), s);
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -5296,13 +5259,7 @@ UINT PcAccountHttpHeaderDelete(CONSOLE *c, char *cmd_name, wchar_t *str, void *p
RPC_CLIENT_CREATE_ACCOUNT z;
char *value = GetParamStr(o, "NAME");
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
Zero(z.ClientOption->CustomHttpHeader, sizeof(z.ClientOption->CustomHttpHeader));
@ -5422,13 +5379,7 @@ UINT PcAccountProxyNone(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
// Change the settings
t.ClientOption->ProxyType = PROXY_DIRECT;
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -5494,13 +5445,7 @@ UINT PcAccountProxyHttp(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
Free(host);
}
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -5566,13 +5511,7 @@ UINT PcAccountProxySocks(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
Free(host);
}
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -5638,13 +5577,7 @@ UINT PcAccountProxySocks5(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
Free(host);
}
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -5696,13 +5629,7 @@ UINT PcAccountServerCertEnable(CONSOLE *c, char *cmd_name, wchar_t *str, void *p
// Change the settings
t.CheckServerCert = true;
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -5754,13 +5681,7 @@ UINT PcAccountServerCertDisable(CONSOLE *c, char *cmd_name, wchar_t *str, void *
// Change the settings
t.CheckServerCert = false;
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -5812,13 +5733,7 @@ UINT PcAccountRetryOnServerCertEnable(CONSOLE *c, char *cmd_name, wchar_t *str,
// Change the settings
t.RetryOnServerCert = true;
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -5870,13 +5785,111 @@ UINT PcAccountRetryOnServerCertDisable(CONSOLE *c, char *cmd_name, wchar_t *str,
// Change the settings
t.RetryOnServerCert = false;
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
if (ret != ERR_NO_ERROR)
{
// Error has occurred
CmdPrintError(c, ret);
}
CiFreeClientGetAccount(&t);
// Release of the parameter list
FreeParamValueList(o);
return ret;
}
// Enable trusting default CA list
UINT PcAccountDefaultCAEnable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
{
LIST *o;
PC *pc = (PC *)param;
UINT ret = ERR_NO_ERROR;
RPC_CLIENT_GET_ACCOUNT t;
// Parameter list that can be specified
PARAM args[] =
{
{"[name]", CmdPrompt, _UU("CMD_AccountCreate_Prompt_Name"), CmdEvalNotEmpty, NULL},
};
// Get the parameter list
o = ParseCommandList(c, cmd_name, str, args, sizeof(args) / sizeof(args[0]));
if (o == NULL)
{
return ERR_INVALID_PARAMETER;
}
// RPC call
Zero(&t, sizeof(t));
UniStrCpy(t.AccountName, sizeof(t.AccountName), GetParamUniStr(o, "[name]"));
ret = CcGetAccount(pc->RemoteClient, &t);
if (ret == ERR_NO_ERROR)
{
RPC_CLIENT_CREATE_ACCOUNT z;
// Change the settings
t.AddDefaultCA = true;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
if (ret != ERR_NO_ERROR)
{
// Error has occurred
CmdPrintError(c, ret);
}
CiFreeClientGetAccount(&t);
// Release of the parameter list
FreeParamValueList(o);
return ret;
}
// Disable trusting default CA list
UINT PcAccountDefaultCADisable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
{
LIST *o;
PC *pc = (PC *)param;
UINT ret = ERR_NO_ERROR;
RPC_CLIENT_GET_ACCOUNT t;
// Parameter list that can be specified
PARAM args[] =
{
{"[name]", CmdPrompt, _UU("CMD_AccountCreate_Prompt_Name"), CmdEvalNotEmpty, NULL},
};
// Get the parameter list
o = ParseCommandList(c, cmd_name, str, args, sizeof(args) / sizeof(args[0]));
if (o == NULL)
{
return ERR_INVALID_PARAMETER;
}
// RPC call
Zero(&t, sizeof(t));
UniStrCpy(t.AccountName, sizeof(t.AccountName), GetParamUniStr(o, "[name]"));
ret = CcGetAccount(pc->RemoteClient, &t);
if (ret == ERR_NO_ERROR)
{
RPC_CLIENT_CREATE_ACCOUNT z;
// Change the settings
t.AddDefaultCA = false;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -5942,13 +5955,7 @@ UINT PcAccountServerCertSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *para
}
t.ServerCert = CloneX(x);
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -6006,13 +6013,7 @@ UINT PcAccountServerCertDelete(CONSOLE *c, char *cmd_name, wchar_t *str, void *p
}
t.ServerCert = NULL;
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -6061,23 +6062,20 @@ UINT PcAccountServerCertGet(CONSOLE *c, char *cmd_name, wchar_t *str, void *para
if (ret == ERR_NO_ERROR)
{
RPC_CLIENT_CREATE_ACCOUNT z;
// Change the settings
if (t.ServerCert != NULL)
// Save the certificate
if (t.ServerCert == NULL)
{
FreeX(t.ServerCert);
c->Write(c, _UU("CMD_CERT_NOT_EXISTS"));
ret = ERR_INTERNAL_ERROR;
}
else
{
if (XToFileW(t.ServerCert, GetParamUniStr(o, "SAVECERT"), true) == false)
{
c->Write(c, _UU("CMD_SAVECERT_FAILED"));
ret = ERR_INTERNAL_ERROR;
}
}
t.ServerCert = NULL;
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
ret = CcSetAccount(pc->RemoteClient, &z);
}
if (ret != ERR_NO_ERROR)
@ -6152,12 +6150,7 @@ UINT PcAccountDetailSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
t.ClientOption->DisableQoS = GetParamYes(o, "NOQOS");
t.ClientOption->NoUdpAcceleration = GetParamYes(o, "DISABLEUDP");
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -6400,14 +6393,7 @@ UINT PcAccountNicSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
StrCpy(t.ClientOption->DeviceName, sizeof(t.ClientOption->DeviceName),
GetParamStr(o, "NICNAME"));
Zero(&c, sizeof(c));
c.ClientAuth = t.ClientAuth;
c.ClientOption = t.ClientOption;
c.CheckServerCert = t.CheckServerCert;
c.RetryOnServerCert = t.RetryOnServerCert;
c.ServerCert = t.ServerCert;
c.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&c, &t);
ret = CcSetAccount(pc->RemoteClient, &c);
}
@ -6459,13 +6445,7 @@ UINT PcAccountStatusShow(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
// Change the settings
t.ClientOption->HideStatusWindow = false;
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -6517,13 +6497,7 @@ UINT PcAccountStatusHide(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
// Change the settings
t.ClientOption->HideStatusWindow = true;
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -6581,13 +6555,7 @@ UINT PcAccountSecureCertSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *para
StrCpy(t.ClientAuth->SecurePrivateKeyName, sizeof(t.ClientAuth->SecurePrivateKeyName),
GetParamStr(o, "KEYNAME"));
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -6639,24 +6607,19 @@ UINT PcAccountOpensslEngineCertSet(CONSOLE *c, char *cmd_name, wchar_t *str, voi
{
RPC_CLIENT_CREATE_ACCOUNT z;
t.ClientAuth->AuthType = CLIENT_AUTHTYPE_OPENSSLENGINE;
X *x;
x = FileToXW(GetParamUniStr(o, "LOADCERT"));
if (x == NULL)
{
X *x;
x = FileToXW(GetParamUniStr(o, "LOADCERT"));
if (x == NULL)
{
c->Write(c, _UU("CMD_LOADCERT_FAILED"));
}
}
StrCpy(t.ClientAuth->OpensslEnginePrivateKeyName, sizeof(t.ClientAuth->OpensslEnginePrivateKeyName),
GetParamStr(o, "KEYNAME"));
StrCpy(t.ClientAuth->OpensslEngineName, sizeof(t.ClientAuth->OpensslEngineName),
GetParamStr(o, "ENGINENAME"));
t.ClientAuth->ClientX = CloneX(x);
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -6721,13 +6684,7 @@ UINT PcAccountRetrySet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
t.ClientOption->NumRetry = (num == 999) ? INFINITE : num;
t.ClientOption->RetryInterval = interval;
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -6780,13 +6737,7 @@ UINT PcAccountStartupSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
// Change the settings
t.StartupAccount = true;
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -6838,13 +6789,7 @@ UINT PcAccountStartupRemove(CONSOLE *c, char *cmd_name, wchar_t *str, void *para
// Change the settings
t.StartupAccount = false;
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.RetryOnServerCert = t.RetryOnServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
ret = CcSetAccount(pc->RemoteClient, &z);
}
@ -6901,12 +6846,7 @@ UINT PcAccountExport(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
UINT buf_size;
UCHAR bom[] = {0xef, 0xbb, 0xbf, };
Zero(&z, sizeof(z));
z.CheckServerCert = t.CheckServerCert;
z.ClientAuth = t.ClientAuth;
z.ClientOption = t.ClientOption;
z.ServerCert = t.ServerCert;
z.StartupAccount = t.StartupAccount;
SetRpcClientCreateAccountFromGetAccount(&z, &t);
b = CiAccountToCfg(&z);
@ -7710,6 +7650,8 @@ void PsMain(PS *ps)
{"CascadeProxySocks5", PsCascadeProxySocks5},
{"CascadeServerCertEnable", PsCascadeServerCertEnable},
{"CascadeServerCertDisable", PsCascadeServerCertDisable},
{"CascadeDefaultCAEnable", PsCascadeDefaultCAEnable},
{"CascadeDefaultCADisable", PsCascadeDefaultCADisable},
{"CascadeServerCertSet", PsCascadeServerCertSet},
{"CascadeServerCertDelete", PsCascadeServerCertDelete},
{"CascadeServerCertGet", PsCascadeServerCertGet},
@ -13287,6 +13229,12 @@ UINT PsCascadeGet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
CtInsert(ct, _UU("CMD_ACCOUNT_COLUMN_SERVER_CERT_NAME"), tmp);
}
if (t.CheckServerCert)
{
CtInsert(ct, _UU("CMD_ACCOUNT_COLUMN_ADD_DEFAULT_CA"),
t.AddDefaultCA ? _UU("CMD_MSG_ENABLE") : _UU("CMD_MSG_DISABLE"));
}
// Device name to be used for the connection
StrToUni(tmp, sizeof(tmp), t.ClientOption->DeviceName);
CtInsert(ct, _UU("CMD_ACCOUNT_COLUMN_DEVICE_NAME"), tmp);
@ -14705,6 +14653,134 @@ UINT PsCascadeServerCertDisable(CONSOLE *c, char *cmd_name, wchar_t *str, void *
return 0;
}
// Enable trusting default CA list for cascade connection
UINT PsCascadeDefaultCAEnable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
{
LIST *o;
PS *ps = (PS *)param;
UINT ret = 0;
RPC_CREATE_LINK t;
// Parameter list that can be specified
PARAM args[] =
{
// "name", prompt_proc, prompt_param, eval_proc, eval_param
{"[name]", CmdPrompt, _UU("CMD_CascadeCreate_Prompt_Name"), CmdEvalNotEmpty, NULL},
};
// If virtual HUB is not selected, it's an error
if (ps->HubName == NULL)
{
c->Write(c, _UU("CMD_Hub_Not_Selected"));
return ERR_INVALID_PARAMETER;
}
o = ParseCommandList(c, cmd_name, str, args, sizeof(args) / sizeof(args[0]));
if (o == NULL)
{
return ERR_INVALID_PARAMETER;
}
Zero(&t, sizeof(t));
StrCpy(t.HubName, sizeof(t.HubName), ps->HubName);
t.ClientOption = ZeroMalloc(sizeof(CLIENT_OPTION));
UniStrCpy(t.ClientOption->AccountName, sizeof(t.ClientOption->AccountName), GetParamUniStr(o, "[name]"));
// RPC call
ret = ScGetLink(ps->Rpc, &t);
if (ret != ERR_NO_ERROR)
{
// An error has occured
CmdPrintError(c, ret);
FreeParamValueList(o);
return ret;
}
else
{
// Data change
t.AddDefaultCA = true;
ret = ScSetLink(ps->Rpc, &t);
if (ret != ERR_NO_ERROR)
{
// An error has occured
CmdPrintError(c, ret);
FreeParamValueList(o);
return ret;
}
FreeRpcCreateLink(&t);
}
FreeParamValueList(o);
return 0;
}
// Disable trusting default CA list for cascade connection
UINT PsCascadeDefaultCADisable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
{
LIST *o;
PS *ps = (PS *)param;
UINT ret = 0;
RPC_CREATE_LINK t;
// Parameter list that can be specified
PARAM args[] =
{
// "name", prompt_proc, prompt_param, eval_proc, eval_param
{"[name]", CmdPrompt, _UU("CMD_CascadeCreate_Prompt_Name"), CmdEvalNotEmpty, NULL},
};
// If virtual HUB is not selected, it's an error
if (ps->HubName == NULL)
{
c->Write(c, _UU("CMD_Hub_Not_Selected"));
return ERR_INVALID_PARAMETER;
}
o = ParseCommandList(c, cmd_name, str, args, sizeof(args) / sizeof(args[0]));
if (o == NULL)
{
return ERR_INVALID_PARAMETER;
}
Zero(&t, sizeof(t));
StrCpy(t.HubName, sizeof(t.HubName), ps->HubName);
t.ClientOption = ZeroMalloc(sizeof(CLIENT_OPTION));
UniStrCpy(t.ClientOption->AccountName, sizeof(t.ClientOption->AccountName), GetParamUniStr(o, "[name]"));
// RPC call
ret = ScGetLink(ps->Rpc, &t);
if (ret != ERR_NO_ERROR)
{
// An error has occured
CmdPrintError(c, ret);
FreeParamValueList(o);
return ret;
}
else
{
// Data change
t.AddDefaultCA = false;
ret = ScSetLink(ps->Rpc, &t);
if (ret != ERR_NO_ERROR)
{
// An error has occured
CmdPrintError(c, ret);
FreeParamValueList(o);
return ret;
}
FreeRpcCreateLink(&t);
}
FreeParamValueList(o);
return 0;
}
// Server-specific certificate settings of cascade connection
UINT PsCascadeServerCertSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
{

5
src/Cedar/Command.h
View File

@ -342,6 +342,7 @@ UINT PcNicDisable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
UINT PcNicList(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
UINT PcAccountList(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
UINT PcAccountCreate(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
void SetRpcClientCreateAccountFromGetAccount(RPC_CLIENT_CREATE_ACCOUNT *c, RPC_CLIENT_GET_ACCOUNT *t);
UINT PcAccountSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
UINT PcAccountGet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
UINT PcAccountDelete(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
@ -365,6 +366,8 @@ UINT PcAccountServerCertEnable(CONSOLE *c, char *cmd_name, wchar_t *str, void *p
UINT PcAccountServerCertDisable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
UINT PcAccountRetryOnServerCertEnable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
UINT PcAccountRetryOnServerCertDisable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
UINT PcAccountDefaultCAEnable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
UINT PcAccountDefaultCADisable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
UINT PcAccountServerCertSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
UINT PcAccountServerCertDelete(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
UINT PcAccountServerCertGet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
@ -510,6 +513,8 @@ UINT PsCascadeProxySocks(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
UINT PsCascadeProxySocks5(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
UINT PsCascadeServerCertEnable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
UINT PsCascadeServerCertDisable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
UINT PsCascadeDefaultCAEnable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
UINT PsCascadeDefaultCADisable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
UINT PsCascadeServerCertSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
UINT PsCascadeServerCertDelete(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
UINT PsCascadeServerCertGet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);

1
src/Cedar/Link.h
View File

@ -31,6 +31,7 @@ struct LINK
UINT CurrentSendPacketQueueSize; // Current send packet queue size
UINT LastError; // Last error
bool CheckServerCert; // To check the server certificate
bool AddDefaultCA; // Use default trust store
X *ServerCert; // Server certificate
bool LockFlag; // Lock flag
bool *StopAllLinkFlag; // Stop all link flag

191
src/Cedar/Protocol.c
View File

@ -4295,7 +4295,6 @@ bool ClientCheckServerCert(CONNECTION *c, bool *expired)
X *x;
CHECK_CERT_THREAD_PROC *p;
THREAD *thread;
CEDAR *cedar;
bool ret;
UINT64 start;
// Validate arguments
@ -4310,31 +4309,10 @@ bool ClientCheckServerCert(CONNECTION *c, bool *expired)
}
auth = c->Session->ClientAuth;
cedar = c->Cedar;
if (auth->CheckCertProc == NULL && c->Session->LinkModeClient == false)
if (auth->CheckCertProc == NULL)
{
// No checking function
return true;
}
if (c->Session->LinkModeClient && c->Session->Link->CheckServerCert == false)
{
// It's in cascade connection mode, but do not check the server certificate
return true;
}
if (c->UseTicket)
{
// Check the certificate of the redirected VPN server
if (CompareX(c->FirstSock->RemoteX, c->ServerX) == false)
{
return false;
}
else
{
return true;
}
return false;
}
x = CloneX(c->FirstSock->RemoteX);
@ -4344,63 +4322,6 @@ bool ClientCheckServerCert(CONNECTION *c, bool *expired)
return false;
}
if (CheckXDateNow(x))
{
// Check whether it is signed by the root certificate to trust
if (c->Session->LinkModeClient == false)
{
// Normal VPN Client mode
if (CheckSignatureByCa(cedar, x))
{
// This certificate can be trusted because it is signed
FreeX(x);
return true;
}
}
else
{
// Cascade connection mode
if (CheckSignatureByCaLinkMode(c->Session, x))
{
// This certificate can be trusted because it is signed
FreeX(x);
return true;
}
}
}
if (c->Session->LinkModeClient)
{
if (CheckXDateNow(x))
{
Lock(c->Session->Link->lock);
{
if (c->Session->Link->ServerCert != NULL)
{
if (CompareX(c->Session->Link->ServerCert, x))
{
Unlock(c->Session->Link->lock);
// Exactly match the certificate that is registered in the cascade configuration
FreeX(x);
return true;
}
}
}
Unlock(c->Session->Link->lock);
}
else
{
if (expired != NULL)
{
*expired = true;
}
}
// Verification failure at this point in the case of cascade connection mode
FreeX(x);
return false;
}
p = ZeroMalloc(sizeof(CHECK_CERT_THREAD_PROC));
p->ServerX = x;
p->CheckCertProc = auth->CheckCertProc;
@ -4418,7 +4339,8 @@ bool ClientCheckServerCert(CONNECTION *c, bool *expired)
{
// Send a NOOP periodically for disconnection prevention
start = Tick64();
ClientUploadNoop(c);
// Do not send because we now ask for user permission before sending signature
//ClientUploadNoop(c);
}
if (p->UserSelected)
{
@ -4477,10 +4399,43 @@ REDIRECTED:
s = ClientConnectToServer(c);
if (s == NULL)
{
// Do not retry if untrusted or hostname mismatched
if (c->Session->LinkModeClient == false && (c->Err == ERR_CERT_NOT_TRUSTED || c->Err == ERR_HOSTNAME_MISMATCH)
&& (c->Session->Account == NULL || ! c->Session->Account->RetryOnServerCert))
{
c->Session->ForceStopFlag = true;
}
PrintStatus(sess, L"free");
return false;
}
PrintStatus(sess, _UU("STATUS_5"));
// Prompt user whether to continue on verification errors
if ((c->Err == ERR_CERT_NOT_TRUSTED || c->Err == ERR_HOSTNAME_MISMATCH || c->Err == ERR_SERVER_CERT_EXPIRES) && ClientCheckServerCert(c, &expired) == false)
{
if (expired)
{
c->Err = ERR_SERVER_CERT_EXPIRES;
}
// Do not retry if untrusted or hostname mismatched
if (c->Session->LinkModeClient == false && (c->Err == ERR_CERT_NOT_TRUSTED || c->Err == ERR_HOSTNAME_MISMATCH)
&& (c->Session->Account == NULL || ! c->Session->Account->RetryOnServerCert))
{
c->Session->ForceStopFlag = true;
}
goto CLEANUP;
}
// Check the certificate of the redirected VPN server
if (c->UseTicket && CompareX(s->RemoteX, c->ServerX) == false)
{
c->Err = ERR_CERT_NOT_TRUSTED;
goto CLEANUP;
}
Copy(&server_ip, &s->RemoteIP, sizeof(IP));
if (c->Halt)
@ -4532,8 +4487,6 @@ REDIRECTED:
goto CLEANUP;
}
PrintStatus(sess, _UU("STATUS_5"));
// Receive a Hello packet
Debug("Downloading Hello...\n");
if (ClientDownloadHello(c, s) == false)
@ -4569,27 +4522,6 @@ REDIRECTED:
// During user authentication
c->Session->ClientStatus = CLIENT_STATUS_AUTH;
// Verify the server certificate by the client
if (ClientCheckServerCert(c, &expired) == false)
{
if (expired == false)
{
c->Err = ERR_CERT_NOT_TRUSTED;
}
else
{
c->Err = ERR_SERVER_CERT_EXPIRES;
}
if (c->Session->LinkModeClient == false && c->Err == ERR_CERT_NOT_TRUSTED
&& (c->Session->Account == NULL || ! c->Session->Account->RetryOnServerCert))
{
c->Session->ForceStopFlag = true;
}
goto CLEANUP;
}
PrintStatus(sess, _UU("STATUS_6"));
// Send the authentication data
@ -6218,16 +6150,29 @@ SOCK *ClientConnectToServer(CONNECTION *c)
SetTimeout(s, CONNECTING_TIMEOUT);
// Start the SSL communication
if (StartSSLEx(s, x, k, 0, c->ServerName) == false)
UINT err = 0;
if (StartSSLEx3(s, x, k, NULL, 0, c->ServerName, c->Session->SslOption, &err) == false)
{
// SSL communication start failure
Disconnect(s);
ReleaseSock(s);
c->FirstSock = NULL;
c->Err = ERR_SERVER_IS_NOT_VPN;
if (err != 0)
{
c->Err = err;
}
else
{
c->Err = ERR_SERVER_IS_NOT_VPN;
}
return NULL;
}
if (err != 0)
{
c->Err = err;
}
if (s->RemoteX == NULL)
{
// SSL communication start failure
@ -6297,6 +6242,7 @@ SOCK *ClientConnectGetSocket(CONNECTION *c, bool additional_connect)
if (o->ProxyType == PROXY_DIRECT)
{
UINT ssl_err = 0;
UINT nat_t_err = 0;
wchar_t tmp[MAX_SIZE];
UniFormat(tmp, sizeof(tmp), _UU("STATUS_4"), hostname);
@ -6306,9 +6252,10 @@ SOCK *ClientConnectGetSocket(CONNECTION *c, bool additional_connect)
{
// If additional_connect == false, enable trying to NAT-T connection
// If additional_connect == true, follow the IsRUDPSession setting in this session
// In additional connect or redirect we do not need ssl verification as the certificate is always compared with a saved one
sock = TcpIpConnectEx2(hostname, c->ServerPort,
(bool *)cancel_flag, c->hWndForUI, &nat_t_err, (additional_connect ? (!sess->IsRUDPSession) : false),
true, o->HintStr, &resolved_ip);
true, ((additional_connect || c->UseTicket) ? NULL : sess->SslOption), &ssl_err, o->HintStr, &resolved_ip);
}
else
{
@ -6331,7 +6278,14 @@ SOCK *ClientConnectGetSocket(CONNECTION *c, bool additional_connect)
// Connection failure
if (nat_t_err != RUDP_ERROR_NAT_T_TWO_OR_MORE)
{
c->Err = ERR_CONNECT_FAILED;
if (ssl_err != 0)
{
c->Err = ssl_err;
}
else
{
c->Err = ERR_CONNECT_FAILED;
}
}
else
{
@ -6340,6 +6294,11 @@ SOCK *ClientConnectGetSocket(CONNECTION *c, bool additional_connect)
return NULL;
}
if (ssl_err != 0)
{
c->Err = ssl_err;
}
}
else
{
@ -6445,20 +6404,20 @@ UINT ProxyCodeToCedar(UINT code)
// TCP connection function
SOCK *TcpConnectEx3(char *hostname, UINT port, UINT timeout, bool *cancel_flag, void *hWnd, bool no_nat_t, UINT *nat_t_error_code, bool try_start_ssl, IP *ret_ip)
{
return TcpConnectEx4(hostname, port, timeout, cancel_flag, hWnd, no_nat_t, nat_t_error_code, try_start_ssl, NULL, ret_ip);
return TcpConnectEx4(hostname, port, timeout, cancel_flag, hWnd, no_nat_t, nat_t_error_code, try_start_ssl, NULL, NULL, NULL, ret_ip);
}
SOCK *TcpConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, void *hWnd, bool no_nat_t, UINT *nat_t_error_code, bool try_start_ssl, char *hint_str, IP *ret_ip)
SOCK *TcpConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, void *hWnd, bool no_nat_t, UINT *nat_t_error_code, bool try_start_ssl, SSL_VERIFY_OPTION *ssl_option, UINT *ssl_err, char *hint_str, IP *ret_ip)
{
#ifdef OS_WIN32
if (hWnd == NULL)
{
#endif // OS_WIN32
return ConnectEx5(hostname, port, timeout, cancel_flag, (no_nat_t ? NULL : VPN_RUDP_SVC_NAME), nat_t_error_code, try_start_ssl, true, hint_str, ret_ip);
return ConnectEx5(hostname, port, timeout, cancel_flag, (no_nat_t ? NULL : VPN_RUDP_SVC_NAME), nat_t_error_code, try_start_ssl, true, ssl_option, ssl_err, hint_str, ret_ip);
#ifdef OS_WIN32
}
else
{
return WinConnectEx4((HWND)hWnd, hostname, port, timeout, 0, NULL, NULL, nat_t_error_code, (no_nat_t ? NULL : VPN_RUDP_SVC_NAME), try_start_ssl, hint_str);
return WinConnectEx4((HWND)hWnd, hostname, port, timeout, 0, NULL, NULL, nat_t_error_code, (no_nat_t ? NULL : VPN_RUDP_SVC_NAME), try_start_ssl, ssl_option, ssl_err, hint_str);
}
#endif // OS_WIN32
}
@ -6466,9 +6425,9 @@ SOCK *TcpConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag,
// Connect with TCP/IP
SOCK *TcpIpConnectEx(char *hostname, UINT port, bool *cancel_flag, void *hWnd, UINT *nat_t_error_code, bool no_nat_t, bool try_start_ssl, IP *ret_ip)
{
return TcpIpConnectEx2(hostname, port, cancel_flag, hWnd, nat_t_error_code, no_nat_t, try_start_ssl, NULL, ret_ip);
return TcpIpConnectEx2(hostname, port, cancel_flag, hWnd, nat_t_error_code, no_nat_t, try_start_ssl, NULL, NULL, NULL, ret_ip);
}
SOCK *TcpIpConnectEx2(char *hostname, UINT port, bool *cancel_flag, void *hWnd, UINT *nat_t_error_code, bool no_nat_t, bool try_start_ssl, char *hint_str, IP *ret_ip)
SOCK *TcpIpConnectEx2(char *hostname, UINT port, bool *cancel_flag, void *hWnd, UINT *nat_t_error_code, bool no_nat_t, bool try_start_ssl, SSL_VERIFY_OPTION *ssl_option, UINT *ssl_err, char *hint_str, IP *ret_ip)
{
SOCK *s = NULL;
UINT dummy_int = 0;
@ -6483,7 +6442,7 @@ SOCK *TcpIpConnectEx2(char *hostname, UINT port, bool *cancel_flag, void *hWnd,
return NULL;
}
s = TcpConnectEx4(hostname, port, 0, cancel_flag, hWnd, no_nat_t, nat_t_error_code, try_start_ssl, hint_str, ret_ip);
s = TcpConnectEx4(hostname, port, 0, cancel_flag, hWnd, no_nat_t, nat_t_error_code, try_start_ssl, ssl_option, ssl_err, hint_str, ret_ip);
if (s == NULL)
{
return NULL;

4
src/Cedar/Protocol.h
View File

@ -114,7 +114,7 @@ bool ServerAccept(CONNECTION *c);
bool ClientConnect(CONNECTION *c);
SOCK *ClientConnectToServer(CONNECTION *c);
SOCK *TcpIpConnectEx(char *hostname, UINT port, bool *cancel_flag, void *hWnd, UINT *nat_t_error_code, bool no_nat_t, bool try_start_ssl, IP *ret_ip);
SOCK *TcpIpConnectEx2(char *hostname, UINT port, bool *cancel_flag, void *hWnd, UINT *nat_t_error_code, bool no_nat_t, bool try_start_ssl, char *hint_str, IP *ret_ip);
SOCK *TcpIpConnectEx2(char *hostname, UINT port, bool *cancel_flag, void *hWnd, UINT *nat_t_error_code, bool no_nat_t, bool try_start_ssl, SSL_VERIFY_OPTION *ssl_option, UINT *ssl_err, char *hint_str, IP *ret_ip);
bool ClientUploadSignature(SOCK *s);
bool ClientDownloadHello(CONNECTION *c, SOCK *s);
bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str);
@ -122,7 +122,7 @@ bool ServerUploadHello(CONNECTION *c);
bool ClientUploadAuth(CONNECTION *c);
SOCK *ClientConnectGetSocket(CONNECTION *c, bool additional_connect);
SOCK *TcpConnectEx3(char *hostname, UINT port, UINT timeout, bool *cancel_flag, void *hWnd, bool no_nat_t, UINT *nat_t_error_code, bool try_start_ssl, IP *ret_ip);
SOCK *TcpConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, void *hWnd, bool no_nat_t, UINT *nat_t_error_code, bool try_start_ssl, char *hint_str, IP *ret_ip);
SOCK *TcpConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, void *hWnd, bool no_nat_t, UINT *nat_t_error_code, bool try_start_ssl, SSL_VERIFY_OPTION *ssl_option, UINT *ssl_err, char *hint_str, IP *ret_ip);
UINT ProxyCodeToCedar(UINT code);

1
src/Cedar/SM.c
View File

@ -10286,6 +10286,7 @@ bool SmLinkEdit(HWND hWnd, SM_HUB *s, wchar_t *name)
a.ClientAuth = CopyClientAuth(t.ClientAuth);
Copy(&a.Policy, &t.Policy, sizeof(POLICY));
a.CheckServerCert = t.CheckServerCert;
a.AddDefaultCA = t.AddDefaultCA;
a.ServerCert = CloneX(t.ServerCert);
a.HideTrustCert = GetCapsBool(s->p->CapsList, "b_support_config_hub");
FreeRpcCreateLink(&t);

2
src/Cedar/Server.c
View File

@ -3400,6 +3400,7 @@ void SiWriteHubLinkCfg(FOLDER *f, LINK *k)
}
CfgAddBool(f, "CheckServerCert", k->CheckServerCert);
CfgAddBool(f, "AddDefaultCA", k->AddDefaultCA);
if (k->ServerCert != NULL)
{
@ -3450,6 +3451,7 @@ void SiLoadHubLinkCfg(FOLDER *f, HUB *h)
{
BUF *b;
k->CheckServerCert = CfgGetBool(f, "CheckServerCert");
k->AddDefaultCA = CfgGetBool(f, "AddDefaultCA");
b = CfgGetBuf(f, "ServerCert");
if (b != NULL)
{

61
src/Cedar/Session.c
View File

@ -1270,6 +1270,13 @@ void CleanupSession(SESSION *s)
Free(s->ClientAuth);
}
if (s->SslOption != NULL)
{
FreeXList(s->SslOption->CaList);
FreeX(s->SslOption->SavedCert);
Free(s->SslOption);
}
FreeTraffic(s->Traffic);
Free(s->Name);
@ -1949,23 +1956,55 @@ SESSION *NewClientSessionEx(CEDAR *cedar, CLIENT_OPTION *option, CLIENT_AUTH *au
{
s->ClientAuth->ClientX = CloneX(s->ClientAuth->ClientX);
}
if (s->ClientAuth->ClientK != NULL)
{
if (s->ClientAuth->AuthType != CLIENT_AUTHTYPE_OPENSSLENGINE)
{
s->ClientAuth->ClientK = CloneK(s->ClientAuth->ClientK);
}
else
{
s->ClientAuth->ClientK = OpensslEngineToK(s->ClientAuth->OpensslEnginePrivateKeyName, s->ClientAuth->OpensslEngineName);
}
}
if (s->ClientAuth->ClientK != NULL)
{
if (s->ClientAuth->AuthType != CLIENT_AUTHTYPE_OPENSSLENGINE)
{
s->ClientAuth->ClientK = CloneK(s->ClientAuth->ClientK);
}
else
{
s->ClientAuth->ClientK = OpensslEngineToK(s->ClientAuth->OpensslEnginePrivateKeyName, s->ClientAuth->OpensslEngineName);
}
}
if (StrCmpi(s->ClientOption->DeviceName, LINK_DEVICE_NAME) == 0)
{
// Link client mode
s->LinkModeClient = true;
s->Link = (LINK *)s->PacketAdapter->Param;
if (s->Link != NULL && s->Link->CheckServerCert && s->Link->Hub->HubDb != NULL)
{
// Enable SSL peer verification
s->SslOption = ZeroMalloc(sizeof(SSL_VERIFY_OPTION));
s->SslOption->VerifyPeer = true;
s->SslOption->AddDefaultCA = s->Link->AddDefaultCA;
s->SslOption->VerifyHostname = true;
s->SslOption->SavedCert = CloneX(s->Link->ServerCert);
// Copy trusted CA
LIST *o = s->Link->Hub->HubDb->RootCertList;
s->SslOption->CaList = CloneXList(o);
}
}
else
{
if (account != NULL && account->CheckServerCert)
{
// Enable SSL peer verification
s->SslOption = ZeroMalloc(sizeof(SSL_VERIFY_OPTION));
s->SslOption->VerifyPeer = true;
#ifdef OS_WIN32
s->SslOption->PromptOnVerifyFail = true;
#endif
s->SslOption->AddDefaultCA = account->AddDefaultCA;
s->SslOption->VerifyHostname = true;
s->SslOption->SavedCert = CloneX(account->ServerCert);
// Copy trusted CA
LIST *o = cedar->CaList;
s->SslOption->CaList = CloneXList(o);
}
}
if (StrCmpi(s->ClientOption->DeviceName, SNAT_DEVICE_NAME) == 0)

1
src/Cedar/Session.h
View File

@ -91,6 +91,7 @@ struct SESSION
char ClientIP[64]; // Client IP
CLIENT_OPTION *ClientOption; // Client connection options
CLIENT_AUTH *ClientAuth; // Client authentication data
SSL_VERIFY_OPTION *SslOption; // SSL verification option
volatile bool Halt; // Halting flag
volatile bool CancelConnect; // Cancel the connection
EVENT *HaltEvent; // Halting event

8
src/Cedar/WinUi.c
View File

@ -1329,7 +1329,7 @@ void WinConnectDlgThread(THREAD *thread, void *param)
nat_t_svc_name = d->nat_t_svc_name;
}
s = ConnectEx5(d->hostname, d->port, d->timeout, &d->cancel, nat_t_svc_name, &nat_t_error_code, d->try_start_ssl, false, d->hint_str, NULL);
s = ConnectEx5(d->hostname, d->port, d->timeout, &d->cancel, nat_t_svc_name, &nat_t_error_code, d->try_start_ssl, false, d->ssl_option, d->ssl_err, d->hint_str, NULL);
d->ret_sock = s;
d->nat_t_error_code = nat_t_error_code;
@ -1399,9 +1399,9 @@ UINT WinConnectDlgProc(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam, void *
// TCP connection with showing the UI
SOCK *WinConnectEx3(HWND hWnd, char *server, UINT port, UINT timeout, UINT icon_id, wchar_t *caption, wchar_t *info, UINT *nat_t_error_code, char *nat_t_svc_name, bool try_start_ssl)
{
return WinConnectEx4(hWnd, server, port, timeout, icon_id, caption, info, nat_t_error_code, nat_t_svc_name, try_start_ssl, NULL);
return WinConnectEx4(hWnd, server, port, timeout, icon_id, caption, info, nat_t_error_code, nat_t_svc_name, try_start_ssl, NULL, NULL, NULL);
}
SOCK *WinConnectEx4(HWND hWnd, char *server, UINT port, UINT timeout, UINT icon_id, wchar_t *caption, wchar_t *info, UINT *nat_t_error_code, char *nat_t_svc_name, bool try_start_ssl, char *hint_str)
SOCK *WinConnectEx4(HWND hWnd, char *server, UINT port, UINT timeout, UINT icon_id, wchar_t *caption, wchar_t *info, UINT *nat_t_error_code, char *nat_t_svc_name, bool try_start_ssl, SSL_VERIFY_OPTION *ssl_option, UINT *ssl_err, char *hint_str)
{
wchar_t tmp[MAX_SIZE];
wchar_t tmp2[MAX_SIZE];
@ -1444,6 +1444,8 @@ SOCK *WinConnectEx4(HWND hWnd, char *server, UINT port, UINT timeout, UINT icon_
d.timeout = timeout;
d.hostname = server;
d.port = port;
d.ssl_option = ssl_option;
d.ssl_err = ssl_err;
d.hint_str = hint_str;
StrCpy(d.nat_t_svc_name, sizeof(d.nat_t_svc_name), nat_t_svc_name);

4
src/Cedar/WinUi.h
View File

@ -331,6 +331,8 @@ typedef struct WINCONNECT_DLG_DATA
char nat_t_svc_name[MAX_SIZE];
UINT nat_t_error_code;
bool try_start_ssl;
SSL_VERIFY_OPTION *ssl_option;
UINT *ssl_err;
char *hint_str;
} WINCONNECT_DLG_DATA;
@ -695,7 +697,7 @@ HFONT GetMeiryoFontEx(UINT font_size);
HFONT GetMeiryoFontEx2(UINT font_size, bool bold);
bool ShowWindowsNetworkConnectionDialog();
SOCK *WinConnectEx3(HWND hWnd, char *server, UINT port, UINT timeout, UINT icon_id, wchar_t *caption, wchar_t *info, UINT *nat_t_error_code, char *nat_t_svc_name, bool try_start_ssl);
SOCK *WinConnectEx4(HWND hWnd, char *server, UINT port, UINT timeout, UINT icon_id, wchar_t *caption, wchar_t *info, UINT *nat_t_error_code, char *nat_t_svc_name, bool try_start_ssl, char *hint_str);
SOCK *WinConnectEx4(HWND hWnd, char *server, UINT port, UINT timeout, UINT icon_id, wchar_t *caption, wchar_t *info, UINT *nat_t_error_code, char *nat_t_svc_name, bool try_start_ssl, SSL_VERIFY_OPTION *ssl_option, UINT *ssl_err, char *hint_str);
UINT WinConnectDlgProc(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam, void *param);
void WinConnectDlgThread(THREAD *thread, void *param);
void NicInfo(UI_NICINFO *info);

1
src/Mayaqua/MayaType.h
View File

@ -382,6 +382,7 @@ typedef struct RUDP_SESSION RUDP_SESSION;
typedef struct RUDP_SEGMENT RUDP_SEGMENT;
typedef struct CONNECT_SERIAL_PARAM CONNECT_SERIAL_PARAM;
typedef struct CONNECT_TCP_RUDP_PARAM CONNECT_TCP_RUDP_PARAM;
typedef struct SSL_VERIFY_OPTION SSL_VERIFY_OPTION;
typedef struct TCP_PAIR_HEADER TCP_PAIR_HEADER;
typedef struct NIC_ENTRY NIC_ENTRY;
typedef struct HTTP_VALUE HTTP_VALUE;

141
src/Mayaqua/Network.c
View File

@ -54,7 +54,7 @@
#ifdef OS_WIN32
#include <iphlpapi.h>
#include <WS2tcpip.h>
#include <wincrypt.h>
#include <IcmpAPI.h>
struct ROUTE_CHANGE_DATA
@ -11632,11 +11632,17 @@ bool StartSSLEx(SOCK *sock, X *x, K *priv, UINT ssl_timeout, char *sni_hostname)
return StartSSLEx2(sock, x, priv, NULL, ssl_timeout, sni_hostname);
}
bool StartSSLEx2(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char *sni_hostname)
{
return StartSSLEx3(sock, x, priv, chain, ssl_timeout, sni_hostname, NULL, NULL);
}
bool StartSSLEx3(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char *sni_hostname, SSL_VERIFY_OPTION *ssl_option, UINT *ssl_err)
{
X509 *x509;
EVP_PKEY *key;
UINT prev_timeout = 1024;
SSL_CTX *ssl_ctx;
UINT dummy_err = 0;
long ssl_verify_err;
#ifdef UNIX_SOLARIS
SOCKET_TIMEOUT_PARAM *ttparam;
@ -11648,6 +11654,10 @@ bool StartSSLEx2(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char
Debug("StartSSL Error: #0\n");
return false;
}
if (ssl_err == NULL)
{
ssl_err = &dummy_err;
}
if (sock->Connected && sock->Type == SOCK_INPROC && sock->ListenMode == false)
{
sock->SecureMode = true;
@ -11740,6 +11750,55 @@ bool StartSSLEx2(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char
}
Lock(openssl_lock);
}
else
{
// Client mode
if (ssl_option != NULL && ssl_option->VerifyPeer)
{
// Add default trust store
X509_STORE* store = SSL_CTX_get_cert_store(ssl_ctx);
if (ssl_option->AddDefaultCA)
{
#ifdef OS_WIN32
HCERTSTORE hStore = CertOpenSystemStore(0, "ROOT");
if (hStore != NULL)
{
PCCERT_CONTEXT pContext = NULL;
while ((pContext = CertEnumCertificatesInStore(hStore, pContext)))
{
X509 *x509 = d2i_X509(NULL, (const unsigned char**)&pContext->pbCertEncoded, pContext->cbCertEncoded);
if (x509 != NULL)
{
X509_STORE_add_cert(store, x509);
X509_free(x509);
}
}
CertCloseStore(hStore, 0);
}
#else
SSL_CTX_set_default_verify_paths(ssl_ctx);
#endif
}
// Add trust CA specified by user
UINT i;
for (i = 0; i < LIST_NUM(ssl_option->CaList); ++i)
{
X *ca = LIST_DATA(ssl_option->CaList, i);
X509_STORE_add_cert(store, ca->x509);
}
// Allow intermediate CA to be trusted
X509_VERIFY_PARAM *vpm = SSL_CTX_get0_param(ssl_ctx);
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_PARTIAL_CHAIN);
// Enable hostname verification (by default CN is only checked if SAN is not available)
if (ssl_option->VerifyHostname && IsEmptyStr(sni_hostname) == false)
{
X509_VERIFY_PARAM_set1_host(vpm, sni_hostname, StrLen(sni_hostname));
}
}
}
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
if (sock->SslAcceptSettings.Override_Security_Level)
@ -11880,7 +11939,7 @@ bool StartSSLEx2(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char
Lock(openssl_lock);
{
x509 = SSL_get_peer_certificate(sock->ssl);
ssl_verify_err = SSL_get_verify_result(sock->ssl);
sock->SslVersion = SSL_get_version(sock->ssl);
}
Unlock(openssl_lock);
@ -11896,6 +11955,49 @@ bool StartSSLEx2(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char
sock->RemoteX = X509ToX(x509);
}
// Check verification error
if (ssl_option != NULL && ssl_option->VerifyPeer)
{
if (ssl_verify_err != X509_V_OK)
{
// Clear any error if matching saved certificate and not expired
if (ssl_option->SavedCert != NULL && sock->RemoteX != NULL && CheckXDateNow(sock->RemoteX) && CompareX(ssl_option->SavedCert, sock->RemoteX))
{
ssl_verify_err = X509_V_OK;
}
else
{
Debug("StartSSL: SSL verification error %d\n", ssl_verify_err);
switch (ssl_verify_err)
{
case X509_V_ERR_CERT_HAS_EXPIRED:
*ssl_err = 106; // ERR_SERVER_CERT_EXPIRES
break;
case X509_V_ERR_HOSTNAME_MISMATCH:
*ssl_err = 149; // ERR_HOSTNAME_MISMATCH
break;
default:
*ssl_err = 85; // ERR_CERT_NOT_TRUSTED
}
if (ssl_option->PromptOnVerifyFail == false)
{
// SSL verify failure
Lock(openssl_lock);
{
SSL_free(sock->ssl);
sock->ssl = NULL;
}
Unlock(openssl_lock);
Unlock(sock->ssl_lock);
FreeSSLCtx(ssl_ctx);
return false;
}
}
}
}
// Get the certificate of local host
Lock(openssl_lock);
{
@ -13778,20 +13880,7 @@ void ConnectThreadForTcp(THREAD *thread, void *param)
Unlock(p->CancelLock);
// Start the SSL communication
ssl_ret = StartSSLEx(sock, NULL, NULL, 0, p->Hostname);
if (ssl_ret)
{
// Identify whether the HTTPS server to be connected is a SoftEther VPN
SetTimeout(sock, (10 * 1000));
ssl_ret = DetectIsServerSoftEtherVPN(sock);
SetTimeout(sock, INFINITE);
if (ssl_ret == false)
{
Debug("DetectIsServerSoftEtherVPN Error.\n");
}
}
ssl_ret = StartSSLEx3(sock, NULL, NULL, NULL, 0, p->Hostname, p->SslOption, p->SslErr);
Lock(p->CancelLock);
{
@ -13986,6 +14075,8 @@ void ConnectThreadForIPv4(THREAD *thread, void *param)
p1.CancelFlag = &cancel_flag2;
p1.FinishEvent = finish_event;
p1.Tcp_TryStartSsl = p->Tcp_TryStartSsl;
p1.SslOption = p->SslOption;
p1.SslErr = p->SslErr;
p1.CancelLock = NewLock();
// p2: NAT-T
@ -14411,9 +14502,9 @@ SOCK *ConnectEx3(char *hostname, UINT port, UINT timeout, bool *cancel_flag, cha
}
SOCK *ConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool no_get_hostname, IP *ret_ip)
{
return ConnectEx5(hostname, port, timeout, cancel_flag, nat_t_svc_name, nat_t_error_code, try_start_ssl, no_get_hostname, NULL, ret_ip);
return ConnectEx5(hostname, port, timeout, cancel_flag, nat_t_svc_name, nat_t_error_code, try_start_ssl, no_get_hostname, NULL, NULL, NULL, ret_ip);
}
SOCK *ConnectEx5(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool no_get_hostname, char *hint_str, IP *ret_ip)
SOCK *ConnectEx5(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool no_get_hostname, SSL_VERIFY_OPTION *ssl_option, UINT *ssl_err, char *hint_str, IP *ret_ip)
{
bool dummy = false;
bool use_natt = false;
@ -14496,9 +14587,9 @@ SOCK *ConnectEx5(char *hostname, UINT port, UINT timeout, bool *cancel_flag, cha
EVENT *finish_event;
THREAD *t4 = NULL;
THREAD *t6 = NULL;
UINT64 start_tick = Tick64();
bool cancel_flag2 = false;
bool no_delay_flag = false;
IP ret_ip4, ret_ip6;
finish_event = NewEvent();
@ -14517,7 +14608,9 @@ SOCK *ConnectEx5(char *hostname, UINT port, UINT timeout, bool *cancel_flag, cha
p6.NoDelayFlag = &no_delay_flag;
p6.FinishEvent = finish_event;
p6.Tcp_TryStartSsl = try_start_ssl;
p6.Ret_Ip = ret_ip;
p6.SslOption = ssl_option;
p6.SslErr = ssl_err;
p6.Ret_Ip = &ret_ip6;
p6.RetryDelay = 250;
p6.Delay = 0;
t6 = NewThread(ConnectThreadForIPv6, &p6);
@ -14538,9 +14631,11 @@ SOCK *ConnectEx5(char *hostname, UINT port, UINT timeout, bool *cancel_flag, cha
StrCpy(p4.NatT_SvcName, sizeof(p4.NatT_SvcName), nat_t_svc_name);
p4.FinishEvent = finish_event;
p4.Tcp_TryStartSsl = try_start_ssl;
p4.SslOption = ssl_option;
p4.SslErr = ssl_err;
p4.Use_NatT = use_natt;
p4.Force_NatT = force_use_natt;
p4.Ret_Ip = ret_ip;
p4.Ret_Ip = &ret_ip4;
p4.RetryDelay = 250;
p4.Delay = 250; // Delay by 250ms to prioritize IPv6 (RFC 6555 recommends 150-250ms, Chrome uses 300ms)
t4 = NewThread(ConnectThreadForIPv4, &p4);
@ -14604,7 +14699,7 @@ SOCK *ConnectEx5(char *hostname, UINT port, UINT timeout, bool *cancel_flag, cha
{
Disconnect(p4.Sock);
ReleaseSock(p4.Sock);
Copy(ret_ip, &ret_ip6, sizeof(IP));
return p6.Sock;
}
@ -14612,7 +14707,7 @@ SOCK *ConnectEx5(char *hostname, UINT port, UINT timeout, bool *cancel_flag, cha
{
Disconnect(p6.Sock);
ReleaseSock(p6.Sock);
Copy(ret_ip, &ret_ip4, sizeof(IP));
return p4.Sock;
}

17
src/Mayaqua/Network.h
View File

@ -816,6 +816,8 @@ struct CONNECT_SERIAL_PARAM
UINT Delay;
UINT RetryDelay;
bool Tcp_TryStartSsl;
SSL_VERIFY_OPTION *SslOption;
UINT *SslErr;
bool Use_NatT;
bool Force_NatT;
IP *Ret_Ip;
@ -842,11 +844,23 @@ struct CONNECT_TCP_RUDP_PARAM
UINT RUdpProtocol;
UINT Delay;
bool Tcp_TryStartSsl;
SSL_VERIFY_OPTION *SslOption;
UINT *SslErr;
LOCK *CancelLock;
SOCK *CancelDisconnectSock;
bool Tcp_InNegotiation;
};
struct SSL_VERIFY_OPTION
{
bool VerifyPeer; // Whether to verify SSL peer
bool PromptOnVerifyFail; // Prompt on verification failure (Windows)
bool AddDefaultCA; // Use default trust store
bool VerifyHostname; // Verify server hostname
LIST *CaList; // Trusted CA list
X *SavedCert; // Saved server certificate
};
#define SSL_DEFAULT_CONNECT_TIMEOUT (15 * 1000) // SSL default timeout
// Header for TCP Pair
@ -1084,7 +1098,7 @@ SOCK *ConnectEx(char *hostname, UINT port, UINT timeout);
SOCK *ConnectEx2(char *hostname, UINT port, UINT timeout, bool *cancel_flag);
SOCK *ConnectEx3(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool no_get_hostname);
SOCK *ConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool no_get_hostname, IP *ret_ip);
SOCK *ConnectEx5(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool no_get_hostname, char *hint_str, IP *ret_ip);
SOCK *ConnectEx5(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool no_get_hostname, SSL_VERIFY_OPTION *ssl_option, UINT *ssl_err, char *hint_str, IP *ret_ip);
SOCKET ConnectTimeoutIPv4(IP *ip, UINT port, UINT timeout, bool *cancel_flag);
bool SetSocketBufferSize(SOCKET s, bool send, UINT size);
UINT SetSocketBufferSizeWithBestEffort(SOCKET s, bool send, UINT size);
@ -1109,6 +1123,7 @@ UINT SecureRecv(SOCK *sock, void *data, UINT size);
bool StartSSL(SOCK *sock, X *x, K *priv);
bool StartSSLEx(SOCK *sock, X *x, K *priv, UINT ssl_timeout, char *sni_hostname);
bool StartSSLEx2(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char *sni_hostname);
bool StartSSLEx3(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char *sni_hostname, SSL_VERIFY_OPTION *ssl_option, UINT *ssl_err);
bool AddChainSslCert(struct ssl_ctx_st *ctx, X *x);
void AddChainSslCertOnDirectory(struct ssl_ctx_st *ctx);
bool SendAll(SOCK *sock, void *data, UINT size, bool secure);

15
src/PenCore/PenCore.rc
View File

@ -1505,7 +1505,7 @@ BEGIN
EDITTEXT S_DESCRIPTION,7,191,289,45,ES_MULTILINE | ES_AUTOVSCROLL | ES_READONLY | ES_WANTRETURN | WS_VSCROLL
END
D_CM_ACCOUNT DIALOGEX 0, 0, 451, 333
D_CM_ACCOUNT DIALOGEX 0, 0, 451, 346
STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU
CAPTION "@D_CM_ACCOUNT"
FONT 9, "MS Shell Dlg", 400, 0, 0x80
@ -1535,14 +1535,15 @@ BEGIN
CONTROL "@R_SOCKS",R_SOCKS,"Button",BS_AUTORADIOBUTTON,72,194,135,10
CONTROL "@R_SOCKS5",R_SOCKS5,"Button",BS_AUTORADIOBUTTON,72,204,135,10
PUSHBUTTON "@B_PROXY_CONFIG",B_PROXY_CONFIG,74,218,114,15
GROUPBOX "@STATIC11",S_STATIC11,7,245,206,69
GROUPBOX "@STATIC11",S_STATIC11,7,245,206,82
ICON ICO_CERT,IDC_STATIC,14,255,20,18
CONTROL "@R_CHECK_CERT",R_CHECK_CERT,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,41,259,133,9
PUSHBUTTON "@B_TRUST",B_TRUST,41,273,157,15
PUSHBUTTON "@B_SERVER_CERT",B_SERVER_CERT,41,291,77,15
PUSHBUTTON "@B_VIEW_SERVER_CERT",B_VIEW_SERVER_CERT,123,291,75,15
CONTROL "@R_HIDE",R_HIDE,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,318,148,9
CONTROL "@R_HIDE2",R_HIDE2,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,158,318,132,9
CONTROL "@R_TRUST_DEFAULT",R_TRUST_DEFAULT,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,41,273,133,9
PUSHBUTTON "@B_TRUST",B_TRUST,41,287,157,15
PUSHBUTTON "@B_SERVER_CERT",B_SERVER_CERT,41,305,77,15
PUSHBUTTON "@B_VIEW_SERVER_CERT",B_VIEW_SERVER_CERT,123,305,75,15
CONTROL "@R_HIDE",R_HIDE,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,331,148,9
CONTROL "@R_HIDE2",R_HIDE2,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,158,331,132,9
CONTROL "",L_VLAN,"SysListView32",LVS_REPORT | LVS_SINGLESEL | LVS_SHOWSELALWAYS | LVS_SHAREIMAGELISTS | LVS_NOCOLUMNHEADER | LVS_NOSORTHEADER | WS_BORDER | WS_TABSTOP,233,17,200,66
GROUPBOX "@S_VLAN_GROUP",S_VLAN_GROUP,224,5,220,88
LTEXT "@S_POLICY_1",S_POLICY_1,258,17,163,24,NOT WS_VISIBLE

3
src/PenCore/resource.h
View File

@ -1028,6 +1028,7 @@
#define L_VALUES_LIST 1519
#define B_HTTP_HEADER 1520
#define B_NEW 1521
#define R_TRUST_DEFAULT 1521
#define B_CLEAR 1522
#define B_ONLINE 1655
#define D_NM_CONNECT 1998
@ -1212,7 +1213,7 @@
#define _APS_NO_MFC 1
#define _APS_NEXT_RESOURCE_VALUE 244
#define _APS_NEXT_COMMAND_VALUE 40111
#define _APS_NEXT_CONTROL_VALUE 1521
#define _APS_NEXT_CONTROL_VALUE 1522
#define _APS_NEXT_SYMED_VALUE 102
#endif
#endif

35
src/bin/hamcore/strtable_cn.stb
View File

@ -214,6 +214,7 @@ ERR_145 不可接受的操作。使用 VPN Gate 实用工具修改 VPN Gate
ERR_146 VPN Gate 服务运行在 VPN 客户端程序内。在此屏幕上,你不能停止 VPN Gate 服务。使用 VPN 客户端管理器来启用或禁用 VPN Gate 服务。
ERR_147 不支持此功能。它尚未在 SoftEther VPN 的开源版本上实施。
ERR_148 VPN 连接被中断,因为该系统被暂停。
ERR_149 目标 VPN Server 的证书与指定的主机名不匹配。
#关于许可证
@ -2340,6 +2341,7 @@ R_SOCKS5 通过 SOCKS5 代理服务器连接(&S)
B_PROXY_CONFIG 代理服务器设置(&R)
STATIC11 服务端证书验证选项(&F):
R_CHECK_CERT 总是验证服务端证书(&C)
R_TRUST_DEFAULT 信任系统证书存储
B_TRUST 管理可信发证机关证书列表(&C)
B_SERVER_CERT 指定特定证书(&S)
B_VIEW_SERVER_CERT 查看特定证书(&V)
@ -4410,7 +4412,8 @@ CMD_ACCOUNT_COLUMN_PROXY_PORT 代理服务器的端口号
CMD_ACCOUNT_COLUMN_PROXY_USERNAME 代理服务器的用户名
CMD_ACCOUNT_COLUMN_SERVER_CERT_USE 验证服务器证书
CMD_ACCOUNT_COLUMN_SERVER_CERT_NAME 注册的服务器个人证书
CMD_ACCOUNT_COLUMN_RETRY_ON_SERVER_CERT Retry on Untrusted Server Certificate
CMD_ACCOUNT_COLUMN_RETRY_ON_SERVER_CERT 遇到不信任的证书时重试
CMD_ACCOUNT_COLUMN_ADD_DEFAULT_CA 信任系统证书存储
CMD_ACCOUNT_COLUMN_DEVICE_NAME 用于连接的设备名
CMD_ACCOUNT_COLUMN_AUTH_TYPE 验证类型
CMD_ACCOUNT_COLUMN_AUTH_USERNAME 用户名
@ -4425,7 +4428,7 @@ CMD_ACCOUNT_COLUMN_BRIDGE_ROUTER 通过网桥 / 路由模式连接
CMD_ACCOUNT_COLUMN_MONITOR 通过监测模式连接
CMD_ACCOUNT_COLUMN_NO_TRACKING 不要调整路由表
CMD_ACCOUNT_COLUMN_QOS_DISABLE 不要使用 QoS 控制功能
CMD_ACCOUNT_COLUMN_DISABLEUDP Disable UDP Acceleration
CMD_ACCOUNT_COLUMN_DISABLEUDP 禁用 UDP 加速功能
# Debugging Information Collecting Tool
@ -5513,6 +5516,20 @@ CMD_CascadeServerCertDisable_Args CascadeServerCertDisable [name]
CMD_CascadeServerCertDisable_[name] 指定级联名称来改变设置。
# CascadeDefaultCAEnable 命令
CMD_CascadeDefaultCAEnable 启用信任系统证书存储选项
CMD_CascadeDefaultCAEnable_Help 当启用服务器证书验证时,使用此选项来启用信任系统证书存储的证书。\n如果禁用服务器证书验证则此选项不执行任何操作。
CMD_CascadeDefaultCAEnable_Args CascadeDefaultCAEnable [name]
CMD_CascadeDefaultCAEnable_[name] 指定级联名称来改变设置。
# CascadeDefaultCADisable 命令
CMD_CascadeDefaultCADisable 禁用信任系统证书存储选项
CMD_CascadeDefaultCADisable_Help 当启用服务器证书验证时,使用此选项来禁用信任系统证书存储的证书。\n如果禁用服务器证书验证则此选项不执行任何操作。
CMD_CascadeDefaultCADisable_Args CascadeDefaultCADisable [name]
CMD_CascadeDefaultCADisable_[name] 指定级联名称来改变设置。
# CascadeServerCertSet 命令
CMD_CascadeServerCertSet 设置级联连接的服务器特定证书
CMD_CascadeServerCertSet_Help 指定已经在当前虚拟 HUB 注册的级联连接,当此连接和 VPN Server 之间通信时,事先将连接方提供的 SSL 证书注册。\n如果启用此选项需要将在目标服务器的证书事先通过指令设置到级联的连接设置中或者在虚拟 HUB 的可信任证书列表中,运行 CAAdd 指令,将有服务器的 SSL 证书署名的路线证书添加进去。\n当启用服务器证书验证选项时如果 VPN Server 提供的证书不可信,连接将断开,并重试。\n此命令在集群虚拟 HUB 中不能运行。
@ -6817,6 +6834,20 @@ CMD_AccountRetryOnServerCertDisable_Args AccountRetryOnServerCertDisable [name]
CMD_AccountRetryOnServerCertDisable_[name] Specify the name of the VPN Connection Setting whose setting you want to change.
# AccountDefaultCAEnable 命令
CMD_AccountDefaultCAEnable 启用信任系统证书存储选项
CMD_AccountDefaultCAEnable_Help 当启用服务器证书验证时,使用此选项来启用信任系统证书存储的证书。\n如果禁用服务器证书验证则此选项不执行任何操作。
CMD_AccountDefaultCAEnable_Args AccountDefaultCAEnable [name]
CMD_AccountDefaultCAEnable_[name] 指定要更改设置的连接设置名。
# AccountDefaultCADisable 命令
CMD_AccountDefaultCADisable 禁用信任系统证书存储选项
CMD_AccountDefaultCADisable_Help 当启用服务器证书验证时,使用此选项来禁用信任系统证书存储的证书。\n如果禁用服务器证书验证则此选项不执行任何操作。
CMD_AccountDefaultCADisable_Args AccountDefaultCADisable [name]
CMD_AccountDefaultCADisable_[name] 指定要更改设置的连接设置名。
# AccountServerCertSet 命令
CMD_AccountServerCertSet 设置连接设置的服务器固有证明书
CMD_AccountServerCertSet_Help 指定注册到 VPN Client 的连接设置,其连接设置连接到 VPN Server 时,预先注册与连接目标的 VPN Server 提交的 SSL 证书相同的证书。\n如果启动了连接设置的服务器证书验证选项可以预先将连接目标服务器的 SSL 证书以此指令保存在连接设置的设置内,或需要将服务器的 SSL 证书签名了的根证书,以 CAAdd 指令注册到虚拟 HUB 信任的证明机构的证书列表中。\n验证连接设置的服务器证书的选项处于启动状态连接了的 VPN Server 的证书不可信时,立即解除连接,反复重试。

32
src/bin/hamcore/strtable_en.stb
View File

@ -212,6 +212,8 @@ ERR_145 Unacceptable operation. Use the VPN Gate Utility to modify the conne
ERR_146 The VPN Gate Service is running inside the VPN Client program. You cannot stop the VPN Gate Service on this screen. Use the VPN Client Manager to enable or disable the VPN Gate Service.
ERR_147 This feature is not supported. It hasn't been implemented yet on the open-source version of SoftEther VPN.
ERR_148 The VPN connection was disconnected because the system is being suspended.
ERR_149 The destination VPN Server's certificate does not match the specified hostname.
# Concerning licenses
LICENSE_INFO_URL https://selinks.org/?new_license
@ -2322,6 +2324,7 @@ R_SOCKS5 Connect via &SOCKS5 Proxy Server
B_PROXY_CONFIG P&roxy Server Setting
STATIC11 Server Certificate Veri&fication Option:
R_CHECK_CERT Always Verify Server &Certificate
R_TRUST_DEFAULT Trust System Certificate Store
B_TRUST Manage Trusted CA &Certificate List
B_SERVER_CERT &Specify Individual Cert
B_VIEW_SERVER_CERT Show Indi&vidual Cert
@ -4396,6 +4399,7 @@ CMD_ACCOUNT_COLUMN_PROXY_USERNAME Proxy Server User Name
CMD_ACCOUNT_COLUMN_SERVER_CERT_USE Verify Server Certificate
CMD_ACCOUNT_COLUMN_SERVER_CERT_NAME Registered Server Individual Certificate
CMD_ACCOUNT_COLUMN_RETRY_ON_SERVER_CERT Retry on Untrusted Server Certificate
CMD_ACCOUNT_COLUMN_ADD_DEFAULT_CA Trust System Certificate Store
CMD_ACCOUNT_COLUMN_DEVICE_NAME Device Name Used for Connection
CMD_ACCOUNT_COLUMN_AUTH_TYPE Authentication Type
CMD_ACCOUNT_COLUMN_AUTH_USERNAME User Name
@ -5496,6 +5500,20 @@ CMD_CascadeServerCertDisable_Args CascadeServerCertDisable [name]
CMD_CascadeServerCertDisable_[name] Specify the name of the Cascade Connection whose setting you want to change.
# CascadeDefaultCAEnable command
CMD_CascadeDefaultCAEnable Enable Trust System Certificate Store Option
CMD_CascadeDefaultCAEnable_Help When server certificate verification is enabled, use this to enable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing.
CMD_CascadeDefaultCAEnable_Args CascadeDefaultCAEnable [name]
CMD_CascadeDefaultCAEnable_[name] Specify the name of the Cascade Connection whose setting you want to change.
# CascadeDefaultCADisable command
CMD_CascadeDefaultCADisable Disable Trust System Certificate Store Option
CMD_CascadeDefaultCADisable_Help When server certificate verification is enabled, use this to disable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing.
CMD_CascadeDefaultCADisable_Args CascadeDefaultCADisable [name]
CMD_CascadeDefaultCADisable_[name] Specify the name of the Cascade Connection whose setting you want to change.
# CascadeServerCertSet command
CMD_CascadeServerCertSet Set the Server Individual Certificate for Cascade Connection
CMD_CascadeServerCertSet_Help When a Cascade Connection registered on the currently managed Virtual Hub is specified and that Cascade Connection connects to a VPN Server, use this to register beforehand the same certificate as the SSL certificate provided by the destination VPN Server. \nIf the option to verify server certificates for Cascade Connections is enabled, you must either use this command to save the connection destination server SSL certificate beforehand in the Cascade Connection Settings beforehand, or use the CAAdd command etc. to register a root certificate containing the signed server SSL certificate in the list of Virtual Hub trusted CA certificates. \nIf the certificate of the connected VPN Server cannot be trusted under the condition where the option to verify server certificates was enabled for the Cascade Connection, the connection will be promptly cancelled and continual reattempts at connection will be made. \nYou cannot execute this command for Virtual Hubs of VPN Servers operating as a cluster.
@ -6803,6 +6821,20 @@ CMD_AccountRetryOnServerCertDisable_Args AccountRetryOnServerCertDisable [name]
CMD_AccountRetryOnServerCertDisable_[name] Specify the name of the VPN Connection Setting whose setting you want to change.
# AccountDefaultCAEnable command
CMD_AccountDefaultCAEnable Enable Trust System Certificate Store Option
CMD_AccountDefaultCAEnable_Help When server certificate verification is enabled, use this to enable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing.
CMD_AccountDefaultCAEnable_Args AccountDefaultCAEnable [name]
CMD_AccountDefaultCAEnable_[name] Specify the name of the VPN Connection Setting whose setting you want to change.
# AccountDefaultCADisable command
CMD_AccountDefaultCADisable Disable Trust System Certificate Store Option
CMD_AccountDefaultCADisable_Help When server certificate verification is enabled, use this to disable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing.
CMD_AccountDefaultCADisable_Args AccountDefaultCADisable [name]
CMD_AccountDefaultCADisable_[name] Specify the name of the VPN Connection Setting whose setting you want to change.
# AccountServerCertSet command
CMD_AccountServerCertSet Set Server Individual Certificate for VPN Connection Setting
CMD_AccountServerCertSet_Help When a VPN Connection Setting registered on the VPN Client is specified and that VPN Connection Setting connects to a VPN Server, use this to register the same certificate as the SSL certificate provided by the destination VPN Server. \nIf the option to verify server certificates for VPN Connection Settings is enabled, you must either use this command to save the connection destination server SSL certificate beforehand in the VPN Connection Setting settings beforehand, or use the CAAdd command etc. to register a root certificate containing the signed server SSL certificate in the list of Virtual Hub trusted CA certificates. \nIf the certificate of the connected VPN Server cannot be trusted under the condition where the option to verify server certificates has been enabled for the VPN Connection Setting, the connection will be promptly cancelled and continual reattempts at connection will be made.

33
src/bin/hamcore/strtable_ja.stb
View File

@ -214,7 +214,7 @@ ERR_145 この操作は実行できません。VPN Gate 公開 VPN 中継サ
ERR_146 VPN Gate サービスが VPN Client 内で動作している場合は、この設定画面から VPN Gate サービスを停止することはできません。VPN Gate サービスを停止するには、VPN Client 接続マネージャの設定ツールを使用してください。
ERR_147 この機能はオープンソース版 SoftEther VPN にはまだ実装されていません。
ERR_148 Windows システムがサスペンド状態に移行中のため、VPN 通信が切断されました。
ERR_149 接続先サーバーの提示した証明書が指定したホスト名と一致しません。
# ライセンス関係
@ -2328,6 +2328,7 @@ R_SOCKS5 SOCKS5 プロキシサーバー経由接続(&S)
B_PROXY_CONFIG プロキシサーバーの接続設定(&2)
STATIC11 サーバー証明書の検証オプション(&F):
R_CHECK_CERT サーバー証明書を必ず検証する(&3)
R_TRUST_DEFAULT システム証明書ストアを信頼する
B_TRUST 信頼する証明機関の証明書の管理(&4)
B_SERVER_CERT 固有証明書の登録(&R)
B_VIEW_SERVER_CERT 固有証明書の表示(&5)
@ -4401,6 +4402,7 @@ CMD_ACCOUNT_COLUMN_PROXY_USERNAME プロキシサーバーのユーザー名
CMD_ACCOUNT_COLUMN_SERVER_CERT_USE サーバー証明書の検証
CMD_ACCOUNT_COLUMN_SERVER_CERT_NAME 登録されているサーバー固有証明書
CMD_ACCOUNT_COLUMN_RETRY_ON_SERVER_CERT サーバー証明書が信頼できない場合に接続を再試行する
CMD_ACCOUNT_COLUMN_ADD_DEFAULT_CA システム証明書ストアを信頼する
CMD_ACCOUNT_COLUMN_DEVICE_NAME 接続に使用するデバイス名
CMD_ACCOUNT_COLUMN_AUTH_TYPE 認証の種類
CMD_ACCOUNT_COLUMN_AUTH_USERNAME ユーザー名
@ -5500,6 +5502,20 @@ CMD_CascadeServerCertDisable_Args CascadeServerCertDisable [name]
CMD_CascadeServerCertDisable_[name] 設定を変更するカスケード接続の名前を指定します。
# CascadeDefaultCAEnable コマンド
CMD_CascadeDefaultCAEnable システム証明書ストアからの証明書の信頼を有効化
CMD_CascadeDefaultCAEnable_Help サーバー証明書の検証が有効になっている場合、システム証明書ストアからの証明書の信頼を有効にします。\nサーバー証明書の検証が無効になっている場合、このオプションは何もしません。
CMD_CascadeDefaultCAEnable_Args CascadeDefaultCAEnable [name]
CMD_CascadeDefaultCAEnable_[name] 設定を変更するカスケード接続の名前を指定します。
# CascadeDefaultCADisable コマンド
CMD_CascadeDefaultCADisable システム証明書ストアからの証明書の信頼を無効化
CMD_CascadeDefaultCADisable_Help サーバー証明書の検証が有効になっている場合、システム証明書ストアからの証明書の信頼を無効にします。\nサーバー証明書の検証が無効になっている場合、このオプションは何もしません。
CMD_CascadeDefaultCADisable_Args CascadeDefaultCADisable [name]
CMD_CascadeDefaultCADisable_[name] 設定を変更するカスケード接続の名前を指定します。
# CascadeServerCertSet コマンド
CMD_CascadeServerCertSet カスケード接続のサーバー固有証明書の設定
CMD_CascadeServerCertSet_Help 現在管理している仮想 HUB に登録されているカスケード接続を指定し、そのカスケード接続が VPN Server に対して接続する際に、接続先の VPN Server の提示する SSL 証明書と同じ証明書をあらかじめ登録します。\nカスケード接続の、サーバー証明書の検証オプションが有効になっている場合、接続先サーバーの SSL 証明書を、あらかじめこのコマンドでカスケード接続設定内に保存しておくか、または仮想 HUB の信頼する証明機関の証明書一覧に、サーバーの SSL 証明書を署名したルート証明書を CAAdd コマンドなどで登録しておく必要があります。\nカスケード接続の、サーバー証明書の検証オプションが有効になっている状態で接続した VPN Server の証明書が信頼できない場合、直ちに接続を解除して再試行を繰り返します。\nこのコマンドは、クラスタとして動作している VPN Server の仮想 HUB では実行できません。
@ -6801,7 +6817,6 @@ CMD_AccountServerCertDisable_[name] 設定を変更する接続設定の名前
# AccountRetryOnServerCertEnable コマンド
CMD_AccountRetryOnServerCertEnable 接続設定のサーバー証明書が信頼できない場合の接続再試行を有効化
CMD_AccountRetryOnServerCertEnable_Help 接続設定のサーバー証明書の検証プションが有効になっている状態で、 VPN Server の証明書が信頼できない場合、直ちに接続を解除して再試行を繰り返します。AccountRetryOnServerCertDisableコマンドを使用することにより再試行を行わないように設定することができますが、このコマンドを使用することにより、デフォルトの接続再試行を行う状態に戻すことができます。
CMD_AccountRetryOnServerCertEnable_Args AccountRetryOnServerCertEnable [name]
CMD_AccountRetryOnServerCertEnable_[name] 設定を変更する接続設定の名前を指定します。
@ -6813,6 +6828,20 @@ CMD_AccountRetryOnServerCertDisable_Args AccountRetryOnServerCertDisable [name]
CMD_AccountRetryOnServerCertDisable_[name] 設定を変更する接続設定の名前を指定します。
# AccountDefaultCAEnable コマンド
CMD_AccountDefaultCAEnable システム証明書ストアからの証明書の信頼を有効化
CMD_AccountDefaultCAEnable_Help サーバー証明書の検証が有効になっている場合、システム証明書ストアからの証明書の信頼を有効にします。\nサーバー証明書の検証が無効になっている場合、このオプションは何もしません。
CMD_AccountDefaultCAEnable_Args AccountDefaultCAEnable [name]
CMD_AccountDefaultCAEnable_[name] 設定を変更する接続設定の名前を指定します。
# AccountDefaultCADisable コマンド
CMD_AccountDefaultCADisable システム証明書ストアからの証明書の信頼を無効化
CMD_AccountDefaultCADisable_Help サーバー証明書の検証が有効になっている場合、システム証明書ストアからの証明書の信頼を無効にします。\nサーバー証明書の検証が無効になっている場合、このオプションは何もしません。
CMD_AccountDefaultCADisable_Args AccountDefaultCADisable [name]
CMD_AccountDefaultCADisable_[name] 設定を変更する接続設定の名前を指定します。
# AccountServerCertSet コマンド
CMD_AccountServerCertSet 接続設定のサーバー固有証明書の設定
CMD_AccountServerCertSet_Help VPN Client に登録されている接続設定を指定し、その接続設定が VPN Server に対して接続する際に、接続先の VPN Server の提示する SSL 証明書と同じ証明書をあらかじめ登録します。\n接続設定のサーバー証明書の検証オプションが有効になっている場合、接続先サーバーの SSL 証明書をあらかじめこのコマンドで接続設定設定内に保存しておくか、または仮想 HUB の信頼する証明機関の証明書一覧に、サーバーの SSL 証明書を署名したルート証明書を CAAdd コマンドなどで登録しておく必要があります。\n接続設定のサーバー証明書の検証オプションが有効になっている状態で、接続した VPN Server の証明書が信頼できない場合、直ちに接続を解除して再試行を繰り返します。

32
src/bin/hamcore/strtable_ko.stb
View File

@ -218,7 +218,7 @@ ERR_145 이 작업을 수행 할 수 없습니다. VPN Gate 공개 VPN 중계
ERR_146 VPN Gate 서비스가 VPN Client에서 실행중인 경우이 설정 화면에서 VPN Gate 서비스를 중지 할 수 없습니다. VPN Gate 서비스를 중지하려면 VPN Client 연결 관리자 설정 도구를 사용하십시오.
ERR_147 이 기능은 오픈 소스 버전 SoftEther VPN은 아직 구현되어 있지 않습니다.
ERR_148 Windows 시스템이 대기 상태로 전환 중이기 때문에 VPN 통신이 끊어졌습니다.
ERR_149 대상 VPN 서버의 인증서가 지정된 호스트 이름과 일치하지 않습니다.
# 라이센스 관계
@ -2306,6 +2306,7 @@ R_SOCKS5 SOCKS5 프록시 서버를 통해 연결 (&S)
B_PROXY_CONFIG 프록시 서버 연결 설정 (&2)
STATIC11 서버 인증서 검증 옵션 (&F):
R_CHECK_CERT 서버 인증서를 반드시 확인한다 (&3)
R_TRUST_DEFAULT 시스템 인증서 저장소 신뢰
B_TRUST 신뢰하는 인증 기관의 인증서 관리 (&4)
B_SERVER_CERT 고유 인증서 등록 (&R)
B_VIEW_SERVER_CERT 고유 인증서보기 (&5)
@ -4379,6 +4380,7 @@ CMD_ACCOUNT_COLUMN_PROXY_USERNAME 프록시 서버의 사용자 이름
CMD_ACCOUNT_COLUMN_SERVER_CERT_USE 서버 인증서 확인
CMD_ACCOUNT_COLUMN_SERVER_CERT_NAME 등록 된 서버 별 인증서
CMD_ACCOUNT_COLUMN_RETRY_ON_SERVER_CERT Retry on Untrusted Server Certificate
CMD_ACCOUNT_COLUMN_ADD_DEFAULT_CA 시스템 인증서 저장소 신뢰
CMD_ACCOUNT_COLUMN_DEVICE_NAME 연결에 사용할 장치 이름
CMD_ACCOUNT_COLUMN_AUTH_TYPE 인증의 종류
CMD_ACCOUNT_COLUMN_AUTH_USERNAME 사용자 이름
@ -5477,6 +5479,20 @@ CMD_CascadeServerCertDisable_Args CascadeServerCertDisable [name]
CMD_CascadeServerCertDisable_[name] 설정을 변경 계단식의 이름을 지정합니다.
# CascadeDefaultCAEnable command
CMD_CascadeDefaultCAEnable Enable Trust System Certificate Store Option
CMD_CascadeDefaultCAEnable_Help When server certificate verification is enabled, use this to enable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing.
CMD_CascadeDefaultCAEnable_Args CascadeDefaultCAEnable [name]
CMD_CascadeDefaultCAEnable_[name] Specify the name of the Cascade Connection whose setting you want to change.
# CascadeDefaultCADisable command
CMD_CascadeDefaultCADisable Disable Trust System Certificate Store Option
CMD_CascadeDefaultCADisable_Help When server certificate verification is enabled, use this to disable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing.
CMD_CascadeDefaultCADisable_Args CascadeDefaultCADisable [name]
CMD_CascadeDefaultCADisable_[name] Specify the name of the Cascade Connection whose setting you want to change.
# CascadeServerCertSet 명령
CMD_CascadeServerCertSet 계단식 서버 별 인증서 설정
CMD_CascadeServerCertSet_Help 현재 관리하고있는 가상 HUB에 등록되어있는 계단식 지정하고 계단식가 VPN Server에 연결할 때 연결하려는 VPN Server가 제시하는 SSL 인증서와 동일한 인증서를 미리 등록합니다. \n 계단식 서버 인증서 검증 옵션이 활성화되어있는 경우 연결할 서버의 SSL 인증서를 미리이 명령에서 계단식 설정에 저장할하거나 가상 HUB의 신뢰 인증 기관의 인증서 목록에 서버의 SSL 인증서를 서명 한 루트 인증서를 CAAdd 명령 등으로 등록되어 있어야합니다. \n 계단식 서버 인증서 검증 옵션이 활성화되어있는 상태에서 연결 한 VPN Server의 인증서를 신뢰할 수없는 경우 즉시 연결을 해제하고 재 시도를 반복합니다. \n이 명령은 클러스터로 작동하는 VPN Server의 가상 HUB에서는 실행되지 않습니다.
@ -6787,6 +6803,20 @@ CMD_AccountRetryOnServerCertDisable_Args AccountRetryOnServerCertDisable [name]
CMD_AccountRetryOnServerCertDisable_[name] Specify the name of the VPN Connection Setting whose setting you want to change.
# AccountDefaultCAEnable command
CMD_AccountDefaultCAEnable Enable Trust System Certificate Store Option
CMD_AccountDefaultCAEnable_Help When server certificate verification is enabled, use this to enable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing.
CMD_AccountDefaultCAEnable_Args AccountDefaultCAEnable [name]
CMD_AccountDefaultCAEnable_[name] Specify the name of the VPN Connection Setting whose setting you want to change.
# AccountDefaultCADisable command
CMD_AccountDefaultCADisable Disable Trust System Certificate Store Option
CMD_AccountDefaultCADisable_Help When server certificate verification is enabled, use this to disable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing.
CMD_AccountDefaultCADisable_Args AccountDefaultCADisable [name]
CMD_AccountDefaultCADisable_[name] Specify the name of the VPN Connection Setting whose setting you want to change.
# AccountServerCertSet 명령
CMD_AccountServerCertSet 연결 설정 서버 별 인증서 설정
CMD_AccountServerCertSet_Help VPN Client에 등록되어있는 연결 설정을 지정하고 연결 설정 VPN Server에 연결할 때 연결하려는 VPN Server가 제시하는 SSL 인증서와 동일한 인증서를 미리 등록합니다. \n 연결 설정 서버 인증서 검증 옵션이 활성화되어있는 경우 연결할 서버의 SSL 인증서를 미리이 명령에서 연결 설정 설정에 저장할하거나 가상 HUB 신뢰하는 인증 기관 인증서 목록에 서버의 SSL 인증서를 서명 한 루트 인증서를 CAAdd 명령 등으로 등록되어 있어야합니다. \n 연결 설정 서버 인증서 검증 옵션이 활성화되어있는 상태에서 연결 한 VPN Server의 인증서를 신뢰할 수없는 경우 즉시 연결을 해제하고 재 시도를 반복합니다.

31
src/bin/hamcore/strtable_pt_br.stb
View File

@ -231,6 +231,7 @@ ERR_145 Unacceptable operation. Use the VPN Gate Utility to modify the connectio
ERR_146 The VPN Gate Service is running inside the VPN Client program. You cannot stop the VPN Gate Service on this screen. Use the VPN Client Manager to enable or disable the VPN Gate Service.
ERR_147 This feature is not supported. It hasn't been implemented yet on the open-source version of SoftEther VPN.
ERR_148 The VPN connection was disconnected because the system is being suspended.
ERR_149 The destination VPN Server's certificate does not match the specified hostname.
# Concerning licenses
@ -2299,6 +2300,7 @@ R_SOCKS5 Conectar via servidor proxy &SOCKS5
B_PROXY_CONFIG Configuração do servidor &proxy
STATIC11 Opção de verificação do certificado do servidor:
R_CHECK_CERT Sempre verificar o certificado do servidor
R_TRUST_DEFAULT Confie no armazenamento de certificados do sistema
B_TRUST Gerenciar lista de &certificados CA confiáveis
B_SERVER_CERT Certificado &individual
B_VIEW_SERVER_CERT &Mostrar individual
@ -4112,6 +4114,7 @@ CMD_ACCOUNT_COLUMN_PROXY_USERNAME Proxy Server User Name
CMD_ACCOUNT_COLUMN_SERVER_CERT_USE Verify Server Certificate
CMD_ACCOUNT_COLUMN_SERVER_CERT_NAME Registered Server Individual Certificate
CMD_ACCOUNT_COLUMN_RETRY_ON_SERVER_CERT Retry on Untrusted Server Certificate
CMD_ACCOUNT_COLUMN_ADD_DEFAULT_CA Trust System Certificate Store
CMD_ACCOUNT_COLUMN_DEVICE_NAME Device Name Used for Connection
CMD_ACCOUNT_COLUMN_AUTH_TYPE Authentication Type
CMD_ACCOUNT_COLUMN_AUTH_USERNAME Nome de usuário
@ -5225,6 +5228,20 @@ CMD_CascadeServerCertDisable_Args CascadeServerCertDisable [name]
CMD_CascadeServerCertDisable_[name] Specify the name of the Cascade Connection whose setting you want to change.
# CascadeDefaultCAEnable command
CMD_CascadeDefaultCAEnable Enable Trust System Certificate Store Option
CMD_CascadeDefaultCAEnable_Help When server certificate verification is enabled, use this to enable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing.
CMD_CascadeDefaultCAEnable_Args CascadeDefaultCAEnable [name]
CMD_CascadeDefaultCAEnable_[name] Specify the name of the Cascade Connection whose setting you want to change.
# CascadeDefaultCADisable command
CMD_CascadeDefaultCADisable Disable Trust System Certificate Store Option
CMD_CascadeDefaultCADisable_Help When server certificate verification is enabled, use this to disable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing.
CMD_CascadeDefaultCADisable_Args CascadeDefaultCADisable [name]
CMD_CascadeDefaultCADisable_[name] Specify the name of the Cascade Connection whose setting you want to change.
# CascadeServerCertSet command
CMD_CascadeServerCertSet Set the Server Individual Certificate for Cascade Connection
CMD_CascadeServerCertSet_Help When a Cascade Connection registered on the currently managed Virtual Hub is specified and that Cascade Connection connects to a VPN Server, use this to register beforehand the same certificate as the SSL certificate provided by the destination VPN Server. \nIf the option to verify server certificates for Cascade Connections is enabled, you must either use this command to save the connection destination server SSL certificate beforehand in the Cascade Connection Settings beforehand, or use the CAAdd command etc. to register a root certificate containing the signed server SSL certificate in the list of Virtual Hub trusted CA certificates. \nIf the certificate of the connected VPN Server cannot be trusted under the condition where the option to verify server certificates was enabled for the Cascade Connection, the connection will be promptly cancelled and continual reattempts at connection will be made. \nYou cannot execute this command for Virtual Hubs of VPN Servers operating as a cluster.
@ -6539,6 +6556,20 @@ CMD_AccountRetryOnServerCertDisable_Args AccountRetryOnServerCertDisable [name]
CMD_AccountRetryOnServerCertDisable_[name] Specify the name of the VPN Connection Setting whose setting you want to change.
# AccountDefaultCAEnable command
CMD_AccountDefaultCAEnable Enable Trust System Certificate Store Option
CMD_AccountDefaultCAEnable_Help When server certificate verification is enabled, use this to enable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing.
CMD_AccountDefaultCAEnable_Args AccountDefaultCAEnable [name]
CMD_AccountDefaultCAEnable_[name] Specify the name of the VPN Connection Setting whose setting you want to change.
# AccountDefaultCADisable command
CMD_AccountDefaultCADisable Disable Trust System Certificate Store Option
CMD_AccountDefaultCADisable_Help When server certificate verification is enabled, use this to disable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing.
CMD_AccountDefaultCADisable_Args AccountDefaultCADisable [name]
CMD_AccountDefaultCADisable_[name] Specify the name of the VPN Connection Setting whose setting you want to change.
# AccountServerCertSet command
CMD_AccountServerCertSet Set Server Individual Certificate for VPN Connection Setting
CMD_AccountServerCertSet_Help When a VPN Connection Setting registered on the VPN Client is specified and that VPN Connection Setting connects to a VPN Server, use this to register the same certificate as the SSL certificate provided by the destination VPN Server. \nIf the option to verify server certificates for VPN Connection Settings is enabled, you must either use this command to save the connection destination server SSL certificate beforehand in the VPN Connection Setting settings beforehand, or use the CAAdd command etc. to register a root certificate containing the signed server SSL certificate in the list of Virtual Hub trusted CA certificates. \nIf the certificate of the connected VPN Server cannot be trusted under the condition where the option to verify server certificates has been enabled for the VPN Connection Setting, the connection will be promptly cancelled and continual reattempts at connection will be made.

32
src/bin/hamcore/strtable_ru.stb
View File

@ -212,6 +212,8 @@ ERR_145 Unacceptable operation. Use the VPN Gate Utility to modify the conne
ERR_146 The VPN Gate Service is running inside the VPN Client program. You cannot stop the VPN Gate Service on this screen. Use the VPN Client Manager to enable or disable the VPN Gate Service.
ERR_147 This feature is not supported. It hasn't been implemented yet on the open-source version of SoftEther VPN.
ERR_148 The VPN connection was disconnected because the system is being suspended.
ERR_149 The destination VPN Server's certificate does not match the specified hostname.
# Concerning licenses
LICENSE_INFO_URL https://selinks.org/?new_license
@ -2322,6 +2324,7 @@ R_SOCKS5 Connect via &SOCKS5 Proxy Server
B_PROXY_CONFIG P&roxy Server Setting
STATIC11 Server Certificate Veri&fication Option:
R_CHECK_CERT Always Verify Server &Certificate
R_TRUST_DEFAULT Trust System Certificate Store
B_TRUST Manage Trusted CA &Certificate List
B_SERVER_CERT &Specify Individual Cert
B_VIEW_SERVER_CERT Show Indi&vidual Cert
@ -4395,6 +4398,7 @@ CMD_ACCOUNT_COLUMN_PROXY_PORT Proxy Server Port Number
CMD_ACCOUNT_COLUMN_PROXY_USERNAME Proxy Server User Name
CMD_ACCOUNT_COLUMN_SERVER_CERT_USE Verify Server Certificate
CMD_ACCOUNT_COLUMN_SERVER_CERT_NAME Registered Server Individual Certificate
CMD_ACCOUNT_COLUMN_ADD_DEFAULT_CA Trust System Certificate Store
CMD_ACCOUNT_COLUMN_DEVICE_NAME Device Name Used for Connection
CMD_ACCOUNT_COLUMN_AUTH_TYPE Authentication Type
CMD_ACCOUNT_COLUMN_AUTH_USERNAME User Name
@ -5497,6 +5501,20 @@ CMD_CascadeServerCertDisable_Args CascadeServerCertDisable [name]
CMD_CascadeServerCertDisable_[name] Specify the name of the Cascade Connection whose setting you want to change.
# CascadeDefaultCAEnable command
CMD_CascadeDefaultCAEnable Enable Trust System Certificate Store Option
CMD_CascadeDefaultCAEnable_Help When server certificate verification is enabled, use this to enable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing.
CMD_CascadeDefaultCAEnable_Args CascadeDefaultCAEnable [name]
CMD_CascadeDefaultCAEnable_[name] Specify the name of the Cascade Connection whose setting you want to change.
# CascadeDefaultCADisable command
CMD_CascadeDefaultCADisable Disable Trust System Certificate Store Option
CMD_CascadeDefaultCADisable_Help When server certificate verification is enabled, use this to disable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing.
CMD_CascadeDefaultCADisable_Args CascadeDefaultCADisable [name]
CMD_CascadeDefaultCADisable_[name] Specify the name of the Cascade Connection whose setting you want to change.
# CascadeServerCertSet command
CMD_CascadeServerCertSet Set the Server Individual Certificate for Cascade Connection
CMD_CascadeServerCertSet_Help When a Cascade Connection registered on the currently managed Virtual Hub is specified and that Cascade Connection connects to a VPN Server, use this to register beforehand the same certificate as the SSL certificate provided by the destination VPN Server. \nIf the option to verify server certificates for Cascade Connections is enabled, you must either use this command to save the connection destination server SSL certificate beforehand in the Cascade Connection Settings beforehand, or use the CAAdd command etc. to register a root certificate containing the signed server SSL certificate in the list of Virtual Hub trusted CA certificates. \nIf the certificate of the connected VPN Server cannot be trusted under the condition where the option to verify server certificates was enabled for the Cascade Connection, the connection will be promptly cancelled and continual reattempts at connection will be made. \nYou cannot execute this command for Virtual Hubs of VPN Servers operating as a cluster.
@ -6790,6 +6808,20 @@ CMD_AccountServerCertDisable_Args AccountServerCertDisable [name]
CMD_AccountServerCertDisable_[name] Specify the name of the VPN Connection Setting whose setting you want to change.
# AccountDefaultCAEnable command
CMD_AccountDefaultCAEnable Enable Trust System Certificate Store Option
CMD_AccountDefaultCAEnable_Help When server certificate verification is enabled, use this to enable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing.
CMD_AccountDefaultCAEnable_Args AccountDefaultCAEnable [name]
CMD_AccountDefaultCAEnable_[name] Specify the name of the VPN Connection Setting whose setting you want to change.
# AccountDefaultCADisable command
CMD_AccountDefaultCADisable Disable Trust System Certificate Store Option
CMD_AccountDefaultCADisable_Help When server certificate verification is enabled, use this to disable trusting certificates from the system trust store. \nIf server certificate verification is disabled, this option does nothing.
CMD_AccountDefaultCADisable_Args AccountDefaultCADisable [name]
CMD_AccountDefaultCADisable_[name] Specify the name of the VPN Connection Setting whose setting you want to change.
# AccountServerCertSet command
CMD_AccountServerCertSet Set Server Individual Certificate for VPN Connection Setting
CMD_AccountServerCertSet_Help When a VPN Connection Setting registered on the VPN Client is specified and that VPN Connection Setting connects to a VPN Server, use this to register the same certificate as the SSL certificate provided by the destination VPN Server. \nIf the option to verify server certificates for VPN Connection Settings is enabled, you must either use this command to save the connection destination server SSL certificate beforehand in the VPN Connection Setting settings beforehand, or use the CAAdd command etc. to register a root certificate containing the signed server SSL certificate in the list of Virtual Hub trusted CA certificates. \nIf the certificate of the connected VPN Server cannot be trusted under the condition where the option to verify server certificates has been enabled for the VPN Connection Setting, the connection will be promptly cancelled and continual reattempts at connection will be made.

35
src/bin/hamcore/strtable_tw.stb
View File

@ -218,6 +218,7 @@ ERR_145 不可接受的操作。使用 VPN Gate 實用工具修改 VPN Gate
ERR_146 VPN Gate 服務運行在 VPN 用戶端程式內。在此螢幕上,你不能停止 VPN Gate 服務。使用 VPN 用戶端管理器來啟用或禁用 VPN Gate 服務。
ERR_147 不支援此功能。它尚未在 SoftEther VPN 的開源版本上實施。
ERR_148 VPN 連接被中斷,因為該系統被暫停。
ERR_149 目標 VPN Server 的證書與指定的主機名稱不匹配。
#關於許可證
@ -2342,6 +2343,7 @@ R_SOCKS5 通過 SOCKS5 代理伺服器連接(&S)
B_PROXY_CONFIG 代理伺服器設置(&R)
STATIC11 服務端證書驗證選項(&F):
R_CHECK_CERT 總是驗證服務端證書(&C)
R_TRUST_DEFAULT 信任系統憑證存放區
B_TRUST 管理可信發證機關證書列表(&C)
B_SERVER_CERT 指定特定證書(&S)
B_VIEW_SERVER_CERT 查看特定證書(&V)
@ -4411,7 +4413,8 @@ CMD_ACCOUNT_COLUMN_PROXY_PORT 代理伺服器的埠號
CMD_ACCOUNT_COLUMN_PROXY_USERNAME 代理伺服器的用戶名
CMD_ACCOUNT_COLUMN_SERVER_CERT_USE 驗證伺服器憑證
CMD_ACCOUNT_COLUMN_SERVER_CERT_NAME 註冊的伺服器個人證書
CMD_ACCOUNT_COLUMN_RETRY_ON_SERVER_CERT Retry on Untrusted Server Certificate
CMD_ACCOUNT_COLUMN_RETRY_ON_SERVER_CERT 遇到不信任的證書時重試
CMD_ACCOUNT_COLUMN_ADD_DEFAULT_CA 信任系統憑證存放區
CMD_ACCOUNT_COLUMN_DEVICE_NAME 用於連接的設備名
CMD_ACCOUNT_COLUMN_AUTH_TYPE 驗證類型
CMD_ACCOUNT_COLUMN_AUTH_USERNAME 用戶名
@ -4426,7 +4429,7 @@ CMD_ACCOUNT_COLUMN_BRIDGE_ROUTER 通過橋接器 / 路由模式連接
CMD_ACCOUNT_COLUMN_MONITOR 通過監測模式連接
CMD_ACCOUNT_COLUMN_NO_TRACKING 不要調整路由表
CMD_ACCOUNT_COLUMN_QOS_DISABLE 不要使用 QoS 控制功能
CMD_ACCOUNT_COLUMN_DISABLEUDP Disable UDP Acceleration
CMD_ACCOUNT_COLUMN_DISABLEUDP 禁用 UDP 加速功能
# Debugging Information Collecting Tool
@ -5514,6 +5517,20 @@ CMD_CascadeServerCertDisable_Args CascadeServerCertDisable [name]
CMD_CascadeServerCertDisable_[name] 指定級聯名稱來改變設置。
# CascadeDefaultCAEnable 命令
CMD_CascadeDefaultCAEnable 啟用信任系統憑證存放區選項
CMD_CascadeDefaultCAEnable_Help 當啟用服務器憑證驗證時,使用此選項來啟用信任系統憑證存放區的證書。\n如果禁用服務器憑證驗證則此選項不執行任何操作。
CMD_CascadeDefaultCAEnable_Args CascadeDefaultCAEnable [name]
CMD_CascadeDefaultCAEnable_[name] 指定級聯名稱來改變設置。
# CascadeDefaultCADisable 命令
CMD_CascadeDefaultCADisable 禁用信任系統憑證存放區選項
CMD_CascadeDefaultCADisable_Help 當啟用服務器憑證驗證時,使用此選項來禁用信任系統憑證存放區的證書。\n如果禁用服務器憑證驗證則此選項不執行任何操作。
CMD_CascadeDefaultCADisable_Args CascadeDefaultCADisable [name]
CMD_CascadeDefaultCADisable_[name] 指定級聯名稱來改變設置。
# CascadeServerCertSet 命令
CMD_CascadeServerCertSet 設置級聯連接的伺服器特定證書
CMD_CascadeServerCertSet_Help 指定已經在當前虛擬 HUB 註冊的級聯連接,當此連接和 VPN Server 之間通信時,事先將連接方提供的 SSL 證書註冊。\n如果啟用此選項需要將在目標伺服器的證書事先通過指令設置到級聯的連接設置中或者在虛擬 HUB 的可信任證書清單中,運行 CAAdd 指令,將有伺服器的 SSL 證書署名的路線證書添加進去。\n當啟用伺服器憑證驗證選項時如果 VPN Server 提供的證書不可信,連接將斷開,並重試。\n此命令在集群虛擬 HUB 中不能運行。
@ -6819,6 +6836,20 @@ CMD_AccountRetryOnServerCertDisable_Args AccountRetryOnServerCertDisable [name]
CMD_AccountRetryOnServerCertDisable_[name] Specify the name of the VPN Connection Setting whose setting you want to change.
# AccountDefaultCAEnable 命令
CMD_AccountDefaultCAEnable 啟用信任系統憑證存放區選項
CMD_AccountDefaultCAEnable_Help 當啟用服務器憑證驗證時,使用此選項來啟用信任系統憑證存放區的證書。\n如果禁用服務器憑證驗證則此選項不執行任何操作。
CMD_AccountDefaultCAEnable_Args AccountDefaultCAEnable [name]
CMD_AccountDefaultCAEnable_[name] 指定要更改設置的連接設置名。
# AccountDefaultCADisable 命令
CMD_AccountDefaultCADisable 禁用信任系統憑證存放區選項
CMD_AccountDefaultCADisable_Help 當啟用服務器憑證驗證時,使用此選項來禁用信任系統憑證存放區的證書。\n如果禁用服務器憑證驗證則此選項不執行任何操作。
CMD_AccountDefaultCADisable_Args AccountDefaultCADisable [name]
CMD_AccountDefaultCADisable_[name] 指定要更改設置的連接設置名。
# AccountServerCertSet 命令
CMD_AccountServerCertSet 設置連接設置的伺服器固有證明書
CMD_AccountServerCertSet_Help 指定註冊到 VPN Client 的連接設置,其連接設置連接到 VPN Server 時,預先註冊與連接目標的 VPN Server 提交的 SSL 證書相同的證書。\n如果啟動了連接設置的伺服器憑證驗證選項可以預先將連接目標伺服器的 SSL 證書以此指令保存在連接設置的設置內,或需要將伺服器的 SSL 證書簽名了的根證書,以 CAAdd 指令註冊到虛擬 HUB 信任的證明機構的證書列表中。\n驗證連接設置的伺服器憑證的選項處於啟動狀態連接了的 VPN Server 的證書不可信時,立即解除連接,反復重試。