- Support legacy algorithms while decrypting keys by loading
legacy provider unless default pros has fips enabled.
- Use the recommended PKCS8 format and AES-256-CBC cipher when
encrypting PEM keys.
For PKCS12, OpenSSL's default is used which is PBKDF2 with
AES-256-CBC in OpenSSL 3.0
Signed-off-by: Selva Nair <selva.nair@gmail.com>
When we link with natively-built OpenSSL .DLLs
(not cross compiled with MinGW), we are expected to include
applink.c, which provides glue between OpenSSL BIO layer
and compiler run-time. This doesn't apply to ARM64.
Failure to do that results in "no OPENSSL_Applink" fatal error
during password change.
See the corresponding fix in openvpn2:
https://sourceforge.net/p/openvpn/mailman/message/37361982/
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Use an empty password to clear any existing password in the
private key file. If not empty, the requirement of minimum 8
characters is retained.
For PEM key file, an empty password will clear encryption on
the key. For pkcs12 files it will set an empty password.
As use of an empty password is the default first try in
OpenVPN.exe when reading pkcs12 file, this effectively leads
to the user not prompted for a private key password during
connection setup.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- Replace allow_password by a runtime check that enables password
change menu only when the user has write-access to the key file.
- Read exe_path and priority from HKLM and do not duplicate in HKCU.
- Always allow the user to view the config: edit will succeed if user
has write access.
- Always include the proxy settings tab which is the default.
- Remove the unused power event handling and disconnect_on_suspend key.
- Remove password_attempts -- user can stop the password dilaog
by clicking cancel.
- Remove allow_service: implicitly enabled if service_only is used.
- Deprecate removed options in cmd-line parser
- Update README.rst
- Close config file before exit in GetKeyFileName
- Close thread and dialog handles in passphrase.c
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Selva Nair