Hi Jeremian,
I would appreciate it if you can see this[0] whislist bug, and tell me
your opinion.
Bug description: afserver can authorise/deny clients based on whether
the client provided a valid SSL certificate or not,
[0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=440985
The attached patch was sent to me for that specifically. If you want to
add this patch in a new relese please let me know so that I can
re-package it.
Saludos.
nueces...
--
Juan A. Diaz
diff -ru --exclude='*.in' --exclude='config*' apf-0.8.2/doc/afclient.1 patched/apf-0.8.2/doc/afclient.1
--- apf-0.8.2/doc/afclient.1 2006-09-13 06:37:54.000000000 -0400
+++ patched/apf-0.8.2/doc/afclient.1 2007-09-21 10:34:06.000000000 -0400
@@ -72,6 +72,9 @@
.B -k, --keyfile FILE
the name of the file with RSA key (default: client.rsa)
+.B -c, --cerfile
+ the name of the file with certificate (default: no certificate used)
+
.B -f, --cfgfile FILE
the name of the file with the configuration for the
.I afclient
@@ -334,7 +337,7 @@
.SH CONTRIBUTIONS
-Alex Dyatlov <alex [at] gray-world.net>, Simon <scastro [at] entreelibre.com>, Ilia Perevezentsev <iliaper [at] mail.ru> and Marco Solari <marco.solari [at] koinesistemi.it>
+Alex Dyatlov <alex [at] gray-world.net>, Simon <scastro [at] entreelibre.com>, Ilia Perevezentsev <iliaper [at] mail.ru>, Marco Solari <marco.solari [at] koinesistemi.it>, and Joshua Judson Rosen <rozzin [at] geekspace.com>
.SH LICENSE
diff -ru --exclude='*.in' --exclude='config*' apf-0.8.2/doc/afserver.1 patched/apf-0.8.2/doc/afserver.1
--- apf-0.8.2/doc/afserver.1 2006-09-13 06:37:54.000000000 -0400
+++ patched/apf-0.8.2/doc/afserver.1 2007-09-21 10:34:23.000000000 -0400
@@ -51,7 +51,13 @@
.I Configuration
.B -c, --cerfile FILE
- the name of the file with certificate (default: cacert.pem)
+ the name of the file with certificate (default: server-cert.pem)
+
+.B -A, --cacerfile FILE
+ the name of the file with CA certificates (if used, require clients to have valid certificates)
+
+.B -d, --cerdepth
+ the maximum depth of valid certificate-chains
.B -k, --keyfile FILE
the name of the file with RSA key (default: server.rsa)
@@ -236,7 +242,7 @@
.SH CONTRIBUTIONS
-Alex Dyatlov <alex [at] gray-world.net>, Simon <scastro [at] entreelibre.com>, Ilia Perevezentsev <iliaper [at] mail.ru> and Marco Solari <marco.solari [at] koinesistemi.it>
+Alex Dyatlov <alex [at] gray-world.net>, Simon <scastro [at] entreelibre.com>, Ilia Perevezentsev <iliaper [at] mail.ru> Marco Solari <marco.solari [at] koinesistemi.it>, and Joshua Judson Rosen <rozzin [at] geekspace.com>
.SH LICENSE
Only in patched/apf-0.8.2/modules: .deps
Only in patched/apf-0.8.2/modules: Makefile
diff -ru --exclude='*.in' --exclude='config*' apf-0.8.2/src/afclient.c patched/apf-0.8.2/src/afclient.c
--- apf-0.8.2/src/afclient.c 2006-04-06 17:34:51.000000000 -0400
+++ patched/apf-0.8.2/src/afclient.c 2007-09-07 18:26:06.000000000 -0400
@@ -32,6 +32,7 @@
{"portnum", 1, 0, 'p'},
{"verbose", 0, 0, 'v'},
{"keyfile", 1, 0, 'k'},
+ {"cerfile", 1, 0, 'c'},
{"storefile", 1, 0, 's'},
{"cfgfile", 1, 0, 'f'},
{"log", 1, 0, 'o'},
@@ -107,6 +108,7 @@
char* localPort = NULL;
char* localDestinationName = NULL;
char* keys = NULL;
+ char* certif = NULL;
char* store = NULL;
char* dateformat = NULL;
char* kaTimeout = NULL;
@@ -180,7 +182,7 @@
while ((n = getopt_long(argc, argv,
GETOPT_LONG_LIBDL(GETOPT_LONG_LIBPTHREAD(
- GETOPT_LONG_AF_INET6("huUn:m:d:p:vk:s:o:i:D:rP:X:VK:A:T:f:")))
+ GETOPT_LONG_AF_INET6("huUn:m:d:p:vk:c:s:o:i:D:rP:X:VK:A:T:f:")))
, long_options, 0)) != -1) {
switch (n) {
case 'h': {
@@ -250,6 +252,10 @@
keys = optarg;
break;
}
+ case 'c': {
+ certif = optarg;
+ break;
+ }
case 's': {
store = optarg;
break;
@@ -385,6 +391,9 @@
else {
ClientConfiguration_set_keysFile(cconfig, keys);
}
+ if (certif != NULL) {
+ ClientConfiguration_set_certificateFile(cconfig, certif);
+ }
if (store == NULL) {
if (ClientConfiguration_get_storeFile(cconfig) == NULL) {
ClientConfiguration_set_storeFile(cconfig, "known_hosts");
@@ -486,6 +495,7 @@
exit(1);
}
ClientConfiguration_set_keysFile(cconfig, keys);
+ ClientConfiguration_set_certificateFile(cconfig, certif);
ClientConfiguration_set_storeFile(cconfig, store);
ClientConfiguration_set_dateFormat(cconfig, dateformat);
ClientConfiguration_set_realmsNumber(cconfig, 1);
@@ -695,7 +705,16 @@
"Setting rsa key failed (%s)... exiting", keys);
exit(1);
}
-
+
+ certif = ClientConfiguration_get_certificateFile(cconfig);
+ if (certif) {
+ if (SSL_CTX_use_certificate_file(ctx, certif, SSL_FILETYPE_PEM) != 1) {
+ aflog(LOG_T_INIT, LOG_I_CRIT,
+ "Setting certificate failed (%s)... exiting", certif);
+ exit(1);
+ }
+ }
+
if ((ClientRealm_get_clientMode(pointer) != CLIENTREALM_MODE_REMOTE) &&
(!verbose))
daemon(0, 0);
diff -ru --exclude='*.in' --exclude='config*' apf-0.8.2/src/afserver.c patched/apf-0.8.2/src/afserver.c
--- apf-0.8.2/src/afserver.c 2006-03-18 17:03:07.000000000 -0500
+++ patched/apf-0.8.2/src/afserver.c 2007-09-21 10:44:57.000000000 -0400
@@ -37,6 +37,8 @@
{"usrpcli", 1, 0, 'U'},
{"climode", 1, 0, 'M'},
{"cerfile", 1, 0, 'c'},
+ {"cacerfile", 1, 0, 'A'},
+ {"cerdepth", 1, 0, 'd'},
{"keyfile", 1, 0, 'k'},
{"cfgfile", 1, 0, 'f'},
{"proto", 1, 0, 'p'},
@@ -110,6 +112,8 @@
ConnectClient** srRaClientsTable;
char* certif = NULL;
+ char* cacertif = NULL;
+ char* cerdepth = NULL;
char* keys = NULL;
char* dateformat = NULL;
static char* stemp = NULL;
@@ -150,7 +154,7 @@
#endif
while ((n = getopt_long(argc, argv,
- GETOPT_LONG_LIBPTHREAD(GETOPT_LONG_AF_INET6("hn:l:m:vu:c:k:f:p:o:t:C:U:M:abD:R:r:V"))
+ GETOPT_LONG_LIBPTHREAD(GETOPT_LONG_AF_INET6("hn:l:m:vu:c:A:d:k:f:p:o:t:C:U:M:abD:R:r:V"))
, long_options, 0)) != -1) {
switch (n) {
case 'h': {
@@ -213,6 +217,14 @@
certif = optarg;
break;
}
+ case 'A': {
+ cacertif = optarg;
+ break;
+ }
+ case 'd': {
+ cerdepth = optarg;
+ break;
+ }
case 'k': {
keys = optarg;
break;
@@ -331,12 +343,18 @@
else {
if (certif == NULL) {
if (ServerConfiguration_get_certificateFile(config) == NULL) {
- ServerConfiguration_set_certificateFile(config, "cacert.pem");
+ ServerConfiguration_set_certificateFile(config, "server-cert.pem");
}
}
else {
ServerConfiguration_set_certificateFile(config, certif);
}
+ if (cacertif != NULL) {
+ ServerConfiguration_set_cacertificateFile(config, cacertif);
+ }
+ if (cerdepth != NULL) {
+ ServerConfiguration_set_sCertificateDepth(config, cerdepth);
+ }
if (keys == NULL) {
if (ServerConfiguration_get_keysFile(config) == NULL) {
ServerConfiguration_set_keysFile(config, "server.rsa");
@@ -377,6 +395,8 @@
exit(1);
}
ServerConfiguration_set_certificateFile(config, certif);
+ ServerConfiguration_set_cacertificateFile(config, cacertif);
+ ServerConfiguration_set_sCertificateDepth(config, cerdepth);
ServerConfiguration_set_keysFile(config, keys);
ServerConfiguration_set_dateFormat(config, dateformat);
@@ -398,7 +418,7 @@
exit(1);
}
if (ServerConfiguration_get_certificateFile(config) == NULL) {
- ServerConfiguration_set_certificateFile(config, "cacert.pem");
+ ServerConfiguration_set_certificateFile(config, "server-cert.pem");
}
if (ServerConfiguration_get_keysFile(config) == NULL) {
ServerConfiguration_set_keysFile(config, "server.rsa");
@@ -533,6 +553,26 @@
"Setting certificate failed (%s)... exiting", ServerConfiguration_get_certificateFile(config));
exit(1);
}
+
+ cacertif = ServerConfiguration_get_cacertificateFile(config);
+ if (cacertif) {
+ if (SSL_CTX_load_verify_locations(ctx,
+ cacertif,
+ NULL)
+ != 1)
+ {
+ aflog(LOG_T_INIT, LOG_I_CRIT,
+ "Setting CA certificate failed (%s)... exiting", cacertif);
+ exit(1);
+ }
+
+ SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
+ NULL);
+
+ cerdepth = ServerConfiguration_get_sCertificateDepth (config);
+ SSL_CTX_set_verify_depth(ctx, check_value_liberal (cerdepth, "Invalid max certificate-depth"));
+ }
+
if (ServerConfiguration_get_realmsNumber(config) == 0) {
aflog(LOG_T_INIT, LOG_I_CRIT,
"Working without sense is really without sense...");
@@ -1393,7 +1433,14 @@
case 2: {
close(SslFd_get_fd(ConnectClient_get_sslFd(srClientsTable[k])));
FD_CLR(SslFd_get_fd(ConnectClient_get_sslFd(srClientsTable[k])), &allset);
- SSL_clear(SslFd_get_ssl(ConnectClient_get_sslFd(srClientsTable[k])));
+
+ /* This SSL-object is busted; don't reuse it
+ (SSL_clear isn't sufficient because ssl->new_session is set): */
+ SslFd_set_ssl(ConnectClient_get_sslFd(srClientsTable[k]),
+ SSL_new (ctx));
+ SSL_set_fd(SslFd_get_ssl(ConnectClient_get_sslFd(srClientsTable[k])),
+ SslFd_get_fd(ConnectClient_get_sslFd(srClientsTable[k])));
+
ConnectClient_set_state(srClientsTable[k], CONNECTCLIENT_STATE_FREE);
if ((task = ConnectClient_get_task(srClientsTable[k]))) {
TaskScheduler_removeTask(scheduler, task);
diff -ru --exclude='*.in' --exclude='config*' apf-0.8.2/src/client_configuration_struct.c patched/apf-0.8.2/src/client_configuration_struct.c
--- apf-0.8.2/src/client_configuration_struct.c 2006-01-24 15:55:30.000000000 -0500
+++ patched/apf-0.8.2/src/client_configuration_struct.c 2007-09-07 14:34:04.000000000 -0400
@@ -66,6 +66,10 @@
free((*cc)->keysFile);
(*cc)->keysFile = NULL;
}
+ if ((*cc)->certificateFile) {
+ free((*cc)->certificateFile);
+ (*cc)->certificateFile = NULL;
+ }
if ((*cc)->storeFile) {
free((*cc)->storeFile);
(*cc)->storeFile = NULL;
@@ -101,6 +105,23 @@
}
/*
+ * Function name: ClientConfiguration_set_certificateFile
+ * Description: Set certs filename.
+ * Arguments: cc - pointer to ClientConfiguration structure
+ * certificateFile - certs filename
+ */
+
+void
+ClientConfiguration_set_certificateFile(ClientConfiguration* cc, char* certificateFile)
+{
+ assert(cc != NULL);
+ if (cc == NULL) {
+ return;
+ }
+ string_cp(&(cc->certificateFile), certificateFile);
+}
+
+/*
* Function name: ClientConfiguration_set_storeFile
* Description: Set store filename.
* Arguments: cc - pointer to ClientConfiguration structure
@@ -213,6 +234,23 @@
}
/*
+ * Function name: ClientConfiguration_get_certificateFile
+ * Description: Get certs filename.
+ * Arguments: cc - pointer to ClientConfiguration structure
+ * Returns: Certs filename.
+ */
+
+char*
+ClientConfiguration_get_certificateFile(ClientConfiguration* cc)
+{
+ assert(cc != NULL);
+ if (cc == NULL) {
+ return NULL;
+ }
+ return cc->certificateFile;
+}
+
+/*
* Function name: ClientConfiguration_get_storeFile
* Description: Get store filename.
* Arguments: cc - pointer to ClientConfiguration structure
diff -ru --exclude='*.in' --exclude='config*' apf-0.8.2/src/client_configuration_struct.h patched/apf-0.8.2/src/client_configuration_struct.h
--- apf-0.8.2/src/client_configuration_struct.h 2006-01-24 15:55:30.000000000 -0500
+++ patched/apf-0.8.2/src/client_configuration_struct.h 2007-09-07 14:32:57.000000000 -0400
@@ -26,6 +26,7 @@
typedef struct {
char* keysFile;
+ char* certificateFile;
char* storeFile;
char* dateFormat;
int realmsNumber;
@@ -39,6 +40,7 @@
void ClientConfiguration_free(ClientConfiguration** cc);
/* setters */
void ClientConfiguration_set_keysFile(ClientConfiguration* cc, char* keysFile);
+void ClientConfiguration_set_certificateFile(ClientConfiguration* cc, char* certificateFile);
void ClientConfiguration_set_storeFile(ClientConfiguration* cc, char* storeFile);
void ClientConfiguration_set_dateFormat(ClientConfiguration* cc, char* dateFormat);
void ClientConfiguration_set_realmsNumber(ClientConfiguration* cc, int realmsNumber);
@@ -46,6 +48,7 @@
void ClientConfiguration_set_ignorePublicKeys(ClientConfiguration* cc, char ignorePublicKeys);
/* getters */
char* ClientConfiguration_get_keysFile(ClientConfiguration* cc);
+char* ClientConfiguration_get_certificateFile(ClientConfiguration* cc);
char* ClientConfiguration_get_storeFile(ClientConfiguration* cc);
char* ClientConfiguration_get_dateFormat(ClientConfiguration* cc);
int ClientConfiguration_get_realmsNumber(ClientConfiguration* cc);
diff -ru --exclude='*.in' --exclude='config*' apf-0.8.2/src/file_client.c patched/apf-0.8.2/src/file_client.c
--- apf-0.8.2/src/file_client.c 2006-01-29 20:04:04.000000000 -0500
+++ patched/apf-0.8.2/src/file_client.c 2007-09-21 10:23:19.000000000 -0400
@@ -197,6 +197,9 @@
if ((strcmp(helpbuf1, "k") == 0) || (strcmp(helpbuf1, "keyfile") == 0)) {
ClientConfiguration_set_keysFile(cfg, helpbuf2);
}
+ else if ((strcmp(helpbuf1, "c") == 0) || (strcmp(helpbuf1, "certificate") == 0) || (strcmp(helpbuf1, "cerfile") == 0)) {
+ ClientConfiguration_set_certificateFile(cfg, helpbuf2);
+ }
else if ((strcmp(helpbuf1, "s") == 0) || (strcmp(helpbuf1, "storefile") == 0)) {
ClientConfiguration_set_storeFile(cfg, helpbuf2);
}
diff -ru --exclude='*.in' --exclude='config*' apf-0.8.2/src/file_server.c patched/apf-0.8.2/src/file_server.c
--- apf-0.8.2/src/file_server.c 2006-03-21 10:24:21.000000000 -0500
+++ patched/apf-0.8.2/src/file_server.c 2007-09-21 10:25:59.000000000 -0400
@@ -269,6 +269,12 @@
else if ((strcmp(helpbuf1, "certificate") == 0) || (strcmp(helpbuf1, "cerfile") == 0)) {
ServerConfiguration_set_certificateFile(cfg, helpbuf2);
}
+ else if (strcmp(helpbuf1, "cacerfile") == 0) {
+ ServerConfiguration_set_cacertificateFile(cfg, helpbuf2);
+ }
+ else if (strcmp(helpbuf1, "cerdepth") == 0) {
+ ServerConfiguration_set_sCertificateDepth(cfg, helpbuf2);
+ }
else if ((strcmp(helpbuf1, "key") == 0) || (strcmp(helpbuf1, "keyfile") == 0)) {
ServerConfiguration_set_keysFile(cfg, helpbuf2);
}
diff -ru --exclude='*.in' --exclude='config*' apf-0.8.2/src/server_configuration_struct.c patched/apf-0.8.2/src/server_configuration_struct.c
--- apf-0.8.2/src/server_configuration_struct.c 2006-01-25 17:46:48.000000000 -0500
+++ patched/apf-0.8.2/src/server_configuration_struct.c 2007-09-20 15:53:50.000000000 -0400
@@ -66,6 +66,14 @@
free((*sc)->certificateFile);
(*sc)->certificateFile = NULL;
}
+ if ((*sc)->cacertificateFile) {
+ free((*sc)->cacertificateFile);
+ (*sc)->cacertificateFile = NULL;
+ }
+ if ((*sc)->cacertificateFile) {
+ free((*sc)->cacertificatePath);
+ (*sc)->cacertificateFile = NULL;
+ }
if ((*sc)->keysFile) {
free((*sc)->keysFile);
(*sc)->keysFile = NULL;
@@ -105,6 +113,59 @@
}
/*
+ * Function name: ServerConfiguration_set_cacertificateFile
+ * Description: Set CA certificate filename.
+ * Arguments: sc - pointer to ServerConfiguration structure
+ * certificateFile - CA certificate filename
+ */
+
+void
+ServerConfiguration_set_cacertificateFile(ServerConfiguration* sc, char* cacertificateFile)
+{
+ assert(sc != NULL);
+ if (sc == NULL) {
+ return;
+ }
+ string_cp(&(sc->cacertificateFile), cacertificateFile);
+}
+
+/*
+ * Function name: ServerConfiguration_set_cacertificatePath
+ * Description: Set CA certificate filename.
+ * Arguments: sc - pointer to ServerConfiguration structure
+ * cacertificateFile - CA certificate path
+ */
+
+void
+ServerConfiguration_set_cacertificatePath(ServerConfiguration* sc, char* cacertificatePath)
+{
+ assert(sc != NULL);
+ if (sc == NULL) {
+ return;
+ }
+ string_cp(&(sc->cacertificatePath), cacertificatePath);
+}
+
+void
+ServerConfiguration_set_sCertificateDepth(ServerConfiguration* sc, char* sCertificateDepth)
+{
+ assert(sc != NULL);
+ if (sc == NULL) {
+ return;
+ }
+ string_cp(&(sc->sCertificateDepth), sCertificateDepth);
+}
+void
+ServerConfiguration_set_certificateDepth(ServerConfiguration* sc, int certificateDepth)
+{
+ assert(sc != NULL);
+ if (sc == NULL) {
+ return;
+ }
+ sc->certificateDepth = certificateDepth;
+}
+
+/*
* Function name: ServerConfiguration_set_keysFile
* Description: Set keys filename.
* Arguments: sc - pointer to ServerConfiguration structure
@@ -217,6 +278,60 @@
}
/*
+ * Function name: ServerConfiguration_get_cacertificateFile
+ * Description: Get CA certificate filename.
+ * Arguments: sc - pointer to ServerConfiguration structure
+ * Returns: CA Certificate filename.
+ */
+
+char*
+ServerConfiguration_get_cacertificateFile(ServerConfiguration* sc)
+{
+ assert(sc != NULL);
+ if (sc == NULL) {
+ return NULL;
+ }
+ return sc->cacertificateFile;
+}
+
+/*
+ * Function name: ServerConfiguration_get_cacertificatePath
+ * Description: Get CA certificate path
+ * Arguments: sc - pointer to ServerConfiguration structure
+ * Returns: CA Certificate path.
+ */
+
+char*
+ServerConfiguration_get_cacertificatePath(ServerConfiguration* sc)
+{
+ assert(sc != NULL);
+ if (sc == NULL) {
+ return NULL;
+ }
+ return sc->cacertificatePath;
+}
+
+char*
+ServerConfiguration_get_sCertificateDepth(ServerConfiguration* sc)
+{
+ assert(sc != NULL);
+ if (sc == NULL) {
+ return NULL;
+ }
+ return sc->sCertificateDepth;
+}
+
+int
+ServerConfiguration_get_certificateDepth(ServerConfiguration* sc)
+{
+ assert(sc != NULL);
+ if (sc == NULL) {
+ return -1;
+ }
+ return sc->certificateDepth;
+}
+
+/*
* Function name: ServerConfiguration_get_keysFile
* Description: Get keys filename.
* Arguments: sc - pointer to ServerConfiguration structure
diff -ru --exclude='*.in' --exclude='config*' apf-0.8.2/src/server_configuration_struct.h patched/apf-0.8.2/src/server_configuration_struct.h
--- apf-0.8.2/src/server_configuration_struct.h 2006-01-25 17:46:48.000000000 -0500
+++ patched/apf-0.8.2/src/server_configuration_struct.h 2007-09-20 15:48:05.000000000 -0400
@@ -25,6 +25,10 @@
#include "server_realm_struct.h"
typedef struct {
+ char* cacertificateFile;
+ char* cacertificatePath;
+ char* sCertificateDepth;
+ int certificateDepth;
char* certificateFile;
char* keysFile;
char* dateFormat;
@@ -39,6 +43,10 @@
void ServerConfiguration_free(ServerConfiguration** sc);
/* setters */
void ServerConfiguration_set_certificateFile(ServerConfiguration* sc, char* certificateFile);
+void ServerConfiguration_set_cacertificateFile(ServerConfiguration* sc, char* cacertificateFile);
+void ServerConfiguration_set_cacertificatePath(ServerConfiguration* sc, char* cacertificatePath);
+void ServerConfiguration_set_sCertificateDepth(ServerConfiguration* sc, char* sCertificateDepth);
+void ServerConfiguration_set_certificateDepth(ServerConfiguration* sc, int certificateDepth);
void ServerConfiguration_set_keysFile(ServerConfiguration* sc, char* keysFile);
void ServerConfiguration_set_dateFormat(ServerConfiguration* sc, char* dateFormat);
void ServerConfiguration_set_realmsNumber(ServerConfiguration* sc, int realmsNumber);
@@ -46,6 +54,10 @@
void ServerConfiguration_set_realmsTable(ServerConfiguration* sc, ServerRealm** realmsTable);
/* getters */
char* ServerConfiguration_get_certificateFile(ServerConfiguration* sc);
+char* ServerConfiguration_get_cacertificateFile(ServerConfiguration* sc);
+char* ServerConfiguration_get_cacertificatePath(ServerConfiguration* sc);
+char* ServerConfiguration_get_sCertificateDepth(ServerConfiguration* sc);
+int ServerConfiguration_get_certificateDepth(ServerConfiguration* sc);
char* ServerConfiguration_get_keysFile(ServerConfiguration* sc);
char* ServerConfiguration_get_dateFormat(ServerConfiguration* sc);
int ServerConfiguration_get_realmsNumber(ServerConfiguration* sc);
diff -ru --exclude='*.in' --exclude='config*' apf-0.8.2/src/usage.c patched/apf-0.8.2/src/usage.c
--- apf-0.8.2/src/usage.c 2006-03-14 15:26:30.000000000 -0500
+++ patched/apf-0.8.2/src/usage.c 2007-09-20 16:50:42.000000000 -0400
@@ -67,7 +67,10 @@
printf(" (default: no password)\n\n");
printf(" Configuration:\n\n");
printf(" -c, --cerfile - the name of the file with certificate\n");
- printf(" (default: cacert.pem)\n");
+ printf(" (default: server-cert.pem)\n");
+ printf(" -A, --cacerfile - the name of the file with CA certificates\n");
+ printf(" (if used, require clients to have valid certificates)\n");
+ printf(" -d, --cerdepth - the maximum depth of valid certificate-chains\n");
printf(" -k, --keyfile - the name of the file with RSA key (default: server.rsa)\n");
printf(" -f, --cfgfile - the name of the file with the configuration for the\n");
printf(" active forwarder (server)\n");
@@ -170,6 +173,8 @@
printf(" --ignorepkeys - ignore invalid server's public keys\n\n");
printf(" Configuration:\n\n");
printf(" -k, --keyfile - the name of the file with RSA key (default: client.rsa)\n");
+ printf(" -c, --cerfile - the name of the file with certificate\n");
+ printf(" (default: no certificate used)\n");
printf(" -f, --cfgfile - the name of the file with the configuration for the\n");
printf(" active forwarder (client)\n");
printf(" -s, --storefile - the name of the file with stored public keys\n");
