On Wed, May 16, 2012 at 1:27 PM, David Sommerseth
<openvpn.l...@topphemmelig.net> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 16/05/12 09:17, Alon Bar-Lev wrote:
> > Hello David,
> >
> > I guess this is yours: --- * Additions for eurephia plugin done
> > by: * David Sommerseth <d...@users.sourceforge.net>
> > Copyright (C) 2009 ---
> >
> > Looking at the code the eurephia plugin only do the following: ---
> > #ifdef ENABLE_PLUGIN_EUREPHIA /* export X509 cert SHA1 fingerprint
> > */ { unsigned char *sha1_hash = x509_get_sha1_hash(peer_cert,
> > &gc);
> >
> > openvpn_snprintf (envname, sizeof(envname), "tls_digest_%d",
> > cert_depth); setenv_str (es, envname, format_hex_ex(sha1_hash,
> > SHA_DIGEST_LENGTH, 0, 1, ":", &gc)); } #endif ---
> >
> > Can you please explain what this plugin is and why just remove the
> > conditional?
>
> You can find more info about the plug-in here: http://www.eurephia.net/
>
> Basically, it's a username/password authentication plug-in which also
> matches a user account up against a certificate too (plus some extra
> features too as well). The 'tls_digest_%d' environment variable is
> used to get better data when matching certificates information against
> the database.
>
> I've been thinking that this whole #ifdef could go away in v2.4. It
> was a requirement from James to make this optional which is the reason
> it is how it is. He wanted to be sure it can be disabled if there
> were stability concerns. As this has been enabled by default in 2.2
> and will be in 2.3, I thought 2.4 would be a reasonable time to
> confirm the stability.
>
> The [eurephia] string can also be removed then from options.c too; and
> I'll make sure the eurephia docs states that v2.4 contains the support
> even though not explicitly announced.
Thanks.
I don't see any reason why not to remove the #ifdef for 2.3... it is
default enabled anyway, so it is not like people should explicit
enable this and get lower stability.
Anyway, if the need of the digest is valid then it is not specific to
this plugin.
Alon.
