shill: openvpn: Use default CAs certs through --ca rather than --capath.
BUG=chromium-os:35076
TEST=Unit tests. Tested on device by observing the right option is
passed to openvpn and it connects to the server.
Change-Id: I4d0d490211c19b32cf36e3b2f89594919e57f043
Reviewed-on: https://gerrit.chromium.org/gerrit/34742
Tested-by: Darin Petkov <petkov@chromium.org>
Reviewed-by: Paul Stewart <pstew@chromium.org>
Commit-Ready: Brian Harring <ferringb@chromium.org>
diff --git a/openvpn_driver.cc b/openvpn_driver.cc
index 2e228ae..a0f18c7 100644
--- a/openvpn_driver.cc
+++ b/openvpn_driver.cc
@@ -64,7 +64,8 @@
const char OpenVPNDriver::kOpenVPNCertProperty[] = "OpenVPN.Cert";
const char OpenVPNDriver::kOpenVPNKeyProperty[] = "OpenVPN.Key";
// static
-const char OpenVPNDriver::kDefaultCACertificatesPath[] = "/etc/ssl/certs";
+const char OpenVPNDriver::kDefaultCACertificates[] =
+ "/etc/ssl/certs/ca-certificates.crt";
// static
const char OpenVPNDriver::kOpenVPNPath[] = "/usr/sbin/openvpn";
// static
@@ -619,14 +620,14 @@
}
bool OpenVPNDriver::InitCAOptions(vector<string> *options, Error *error) {
+ options->push_back("--ca");
string ca_cert =
args()->LookupString(flimflam::kOpenVPNCaCertProperty, "");
string ca_cert_nss =
args()->LookupString(flimflam::kOpenVPNCaCertNSSProperty, "");
if (ca_cert.empty() && ca_cert_nss.empty()) {
// Use default CAs if no CA certificate is provided.
- options->push_back("--capath");
- options->push_back(kDefaultCACertificatesPath);
+ options->push_back(kDefaultCACertificates);
return true;
}
if (!ca_cert.empty() && !ca_cert_nss.empty()) {
@@ -635,7 +636,6 @@
"Can't specify both CACert and CACertNSS.");
return false;
}
- options->push_back("--ca");
if (!ca_cert_nss.empty()) {
DCHECK(ca_cert.empty());
const string &vpnhost = args()->GetString(flimflam::kProviderHostProperty);
diff --git a/openvpn_driver.h b/openvpn_driver.h
index b074a11..ac97459 100644
--- a/openvpn_driver.h
+++ b/openvpn_driver.h
@@ -113,7 +113,7 @@
static const char kOpenVPNCertProperty[];
static const char kOpenVPNKeyProperty[];
- static const char kDefaultCACertificatesPath[];
+ static const char kDefaultCACertificates[];
static const char kOpenVPNPath[];
static const char kOpenVPNScript[];
diff --git a/openvpn_driver_unittest.cc b/openvpn_driver_unittest.cc
index e1a0050..e64f7c3 100644
--- a/openvpn_driver_unittest.cc
+++ b/openvpn_driver_unittest.cc
@@ -496,7 +496,7 @@
file_util::ReadFileToString(driver_->tls_auth_file_, &contents));
EXPECT_EQ(kTLSAuthContents, contents);
ExpectInFlags(options, "--pkcs11-id", kID);
- ExpectInFlags(options, "--capath", OpenVPNDriver::kDefaultCACertificatesPath);
+ ExpectInFlags(options, "--ca", OpenVPNDriver::kDefaultCACertificates);
ExpectInFlags(options, "--syslog");
ExpectInFlags(options, "--auth-user-pass");
}
@@ -532,7 +532,7 @@
vector<string> options;
EXPECT_TRUE(driver_->InitCAOptions(&options, &error));
EXPECT_TRUE(error.IsSuccess());
- ExpectInFlags(options, "--capath", OpenVPNDriver::kDefaultCACertificatesPath);
+ ExpectInFlags(options, "--ca", OpenVPNDriver::kDefaultCACertificates);
options.clear();
SetArg(flimflam::kOpenVPNCaCertProperty, kCaCert);