commit c418b4b614a4407d076ba98dba1168a759227b88
author Darin Petkov <petkov@chromium.org> Fri Oct 05 11:42:52 2012 +0200
committer Gerrit <chrome-bot@google.com> Mon Oct 08 13:13:53 2012 -0700
tree db64e97472bd189a9a58f6d27b34a591eed19ec0
parent 3189a47b7999f1f95d76553c7ee463ac40186d26

shill: openvpn: Use default CAs certs through --ca rather than --capath.

BUG=chromium-os:35076
TEST=Unit tests. Tested on device by observing the right option is
passed to openvpn and it connects to the server.

Change-Id: I4d0d490211c19b32cf36e3b2f89594919e57f043
Reviewed-on: https://gerrit.chromium.org/gerrit/34742
Tested-by: Darin Petkov <petkov@chromium.org>
Reviewed-by: Paul Stewart <pstew@chromium.org>
Commit-Ready: Brian Harring <ferringb@chromium.org>

openvpn_driver.cc

diff --git a/openvpn_driver.cc b/openvpn_driver.cc
index 2e228ae..a0f18c7 100644
--- a/openvpn_driver.cc
+++ b/openvpn_driver.cc
@@ -64,7 +64,8 @@
 const char OpenVPNDriver::kOpenVPNCertProperty[] = "OpenVPN.Cert";
 const char OpenVPNDriver::kOpenVPNKeyProperty[] = "OpenVPN.Key";
 // static
-const char OpenVPNDriver::kDefaultCACertificatesPath[] = "/etc/ssl/certs";
+const char OpenVPNDriver::kDefaultCACertificates[] =
+    "/etc/ssl/certs/ca-certificates.crt";
 // static
 const char OpenVPNDriver::kOpenVPNPath[] = "/usr/sbin/openvpn";
 // static
@@ -619,14 +620,14 @@
 }
 
 bool OpenVPNDriver::InitCAOptions(vector<string> *options, Error *error) {
+  options->push_back("--ca");
   string ca_cert =
       args()->LookupString(flimflam::kOpenVPNCaCertProperty, "");
   string ca_cert_nss =
       args()->LookupString(flimflam::kOpenVPNCaCertNSSProperty, "");
   if (ca_cert.empty() && ca_cert_nss.empty()) {
     // Use default CAs if no CA certificate is provided.
-    options->push_back("--capath");
-    options->push_back(kDefaultCACertificatesPath);
+    options->push_back(kDefaultCACertificates);
     return true;
   }
   if (!ca_cert.empty() && !ca_cert_nss.empty()) {
@@ -635,7 +636,6 @@
                           "Can't specify both CACert and CACertNSS.");
     return false;
   }
-  options->push_back("--ca");
   if (!ca_cert_nss.empty()) {
     DCHECK(ca_cert.empty());
     const string &vpnhost = args()->GetString(flimflam::kProviderHostProperty);

openvpn_driver.h

diff --git a/openvpn_driver.h b/openvpn_driver.h
index b074a11..ac97459 100644
--- a/openvpn_driver.h
+++ b/openvpn_driver.h
@@ -113,7 +113,7 @@
   static const char kOpenVPNCertProperty[];
   static const char kOpenVPNKeyProperty[];
 
-  static const char kDefaultCACertificatesPath[];
+  static const char kDefaultCACertificates[];
 
   static const char kOpenVPNPath[];
   static const char kOpenVPNScript[];

openvpn_driver_unittest.cc

diff --git a/openvpn_driver_unittest.cc b/openvpn_driver_unittest.cc
index e1a0050..e64f7c3 100644
--- a/openvpn_driver_unittest.cc
+++ b/openvpn_driver_unittest.cc
@@ -496,7 +496,7 @@
       file_util::ReadFileToString(driver_->tls_auth_file_, &contents));
   EXPECT_EQ(kTLSAuthContents, contents);
   ExpectInFlags(options, "--pkcs11-id", kID);
-  ExpectInFlags(options, "--capath", OpenVPNDriver::kDefaultCACertificatesPath);
+  ExpectInFlags(options, "--ca", OpenVPNDriver::kDefaultCACertificates);
   ExpectInFlags(options, "--syslog");
   ExpectInFlags(options, "--auth-user-pass");
 }
@@ -532,7 +532,7 @@
   vector<string> options;
   EXPECT_TRUE(driver_->InitCAOptions(&options, &error));
   EXPECT_TRUE(error.IsSuccess());
-  ExpectInFlags(options, "--capath", OpenVPNDriver::kDefaultCACertificatesPath);
+  ExpectInFlags(options, "--ca", OpenVPNDriver::kDefaultCACertificates);
 
   options.clear();
   SetArg(flimflam::kOpenVPNCaCertProperty, kCaCert);