104
107
"--mode m : Major mode, m = 'p2p' (default, point-to-point) or 'server'.\n"
105
108
"--proto p : Use protocol p for communicating with peer.\n"
106
109
" p = udp (default), tcp-server, or tcp-client\n"
110
"--proto-force p : only consider protocol p in list of connection profiles.\n"
107
111
#ifdef USE_PF_INET6
108
112
" p = udp6, tcp6-server, or tcp6-client (ipv6)\n"
132
136
" AGENT user-agent\n"
134
138
#ifdef ENABLE_SOCKS
135
"--socks-proxy s [p]: Connect to remote host through a Socks5 proxy at address\n"
136
" s and port p (default port = 1080).\n"
139
"--socks-proxy s [p] [up] : Connect to remote host through a Socks5 proxy at\n"
140
" address s and port p (default port = 1080).\n"
141
" If proxy authentication is required,\n"
142
" up is a file containing username/password on 2 lines, or\n"
143
" 'stdin' to prompt for console.\n"
137
144
"--socks-proxy-retry : Retry indefinitely on Socks proxy errors.\n"
139
146
"--resolv-retry n: If hostname resolve fails for --remote, retry\n"
174
181
" addresses outside of the subnets used by either peer.\n"
175
182
" TAP: configure device to use IP address l as a local\n"
176
183
" endpoint and rn as a subnet mask.\n"
184
"--ifconfig-ipv6 l r : configure device to use IPv6 address l as local\n"
185
" endpoint (as a /64) and r as remote endpoint\n"
177
186
"--ifconfig-noexec : Don't actually execute ifconfig/netsh command, instead\n"
178
187
" pass --ifconfig parms by environment to scripts.\n"
179
188
"--ifconfig-nowarn : Don't warn if the --ifconfig option on this side of the\n"
184
193
" netmask default: 255.255.255.255\n"
185
194
" gateway default: taken from --route-gateway or --ifconfig\n"
186
195
" Specify default by leaving blank or setting to \"nil\".\n"
196
"--route-ipv6 network/bits [gateway] [metric] :\n"
197
" Add IPv6 route to routing table after connection\n"
198
" is established. Multiple routes can be specified.\n"
199
" gateway default: taken from --route-ipv6-gateway or --ifconfig\n"
187
200
"--max-routes n : Specify the maximum number of routes that may be defined\n"
188
201
" or pulled from a server.\n"
189
202
"--route-gateway gw|'dhcp' : Specify a default gateway for use with --route.\n"
300
313
"--suppress-timestamps : Don't log timestamps to stdout/stderr.\n"
301
314
"--writepid file : Write main process ID to file.\n"
302
315
"--nice n : Change process priority (>0 = lower, <0 = higher).\n"
305
"--nice-work n : Change thread priority of work thread. The work\n"
306
" thread is used for background processing such as\n"
307
" RSA key number crunching.\n"
310
316
"--echo [parms ...] : Echo parameters to log output.\n"
311
317
"--verb n : Set output verbosity to n (default=%d):\n"
312
318
" (Level 3 is recommended if you want a good summary\n"
380
386
"Multi-Client Server options (when --mode server is used):\n"
381
387
"--server network netmask : Helper option to easily configure server mode.\n"
388
"--server-ipv6 network/bits : Configure IPv6 server mode.\n"
382
389
"--server-bridge [IP netmask pool-start-IP pool-end-IP] : Helper option to\n"
383
390
" easily configure ethernet bridging server mode.\n"
384
391
"--push \"option\" : Push a config file option back to the peer for remote\n"
392
399
"--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool\n"
393
400
" data to file, at seconds intervals (default=600).\n"
394
401
" If seconds=0, file will be treated as read-only.\n"
402
"--ifconfig-ipv6-pool base-IP/bits : set aside an IPv6 network block\n"
403
" to be dynamically allocated to connecting clients.\n"
395
404
"--ifconfig-push local remote-netmask : Push an ifconfig option to remote,\n"
396
405
" overrides --ifconfig-pool dynamic allocation.\n"
397
406
" Only valid in a client-specific config file.\n"
407
"--ifconfig-ipv6-push local/bits remote : Push an ifconfig-ipv6 option to\n"
408
" remote, overrides --ifconfig-ipv6-pool allocation.\n"
409
" Only valid in a client-specific config file.\n"
398
410
"--iroute network [netmask] : Route subnet to client.\n"
411
"--iroute-ipv6 network/bits : Route IPv6 subnet to client.\n"
399
412
" Sets up internal routes only.\n"
400
413
" Only valid in a client-specific config file.\n"
401
414
"--disable : Client is disabled.\n"
422
435
"--client-disconnect cmd : Run script cmd on client disconnection.\n"
423
436
"--client-config-dir dir : Directory for custom client config files.\n"
424
437
"--ccd-exclusive : Refuse connection unless custom client config is found.\n"
425
"--tmp-dir dir : Temporary directory, used for --client-connect return file.\n"
438
"--tmp-dir dir : Temporary directory, used for --client-connect return file and plugin communication.\n"
426
439
"--hash-size r v : Set the size of the real address hash table to r and the\n"
427
440
" virtual address table to v.\n"
428
441
"--bcast-buffers n : Allocate n broadcast buffers.\n"
516
529
"--key file : Local private key in .pem format.\n"
517
530
"--pkcs12 file : PKCS#12 file containing local private key, local certificate\n"
518
531
" and optionally the root CA certificate.\n"
532
#ifdef ENABLE_X509ALTUSERNAME
533
"--x509-username-field : Field used in x509 certificat to be username.\n"
520
537
"--cryptoapicert select-string : Load the certificate and private key from the\n"
521
538
" Windows Certificate System Store.\n"
546
563
" tests of certification. cmd should return 0 to allow\n"
547
564
" TLS handshake to proceed, or 1 to fail. (cmd is\n"
548
565
" executed as 'cmd certificate_depth X509_NAME_oneline')\n"
566
"--tls-export-cert [directory] : Get peer cert in PEM format and store it \n"
567
" in an openvpn temporary file in [directory]. Peer cert is \n"
568
" stored before tls-verify script execution and deleted after.\n"
549
569
"--tls-remote x509name: Accept connections only from a host with X509 name\n"
550
570
" x509name. The remote host must also pass all other tests\n"
551
571
" of verification.\n"
768
786
o->renegotiate_seconds = 3600;
769
787
o->handshake_window = 60;
770
788
o->transition_window = 3600;
789
#ifdef ENABLE_X509ALTUSERNAME
790
o->x509_username_field = X509_USERNAME_FIELD_DEFAULT;
793
#endif /* USE_CRYPTO */
773
794
#ifdef ENABLE_PKCS11
774
795
o->pkcs11_pin_cache_period = -1;
775
796
#endif /* ENABLE_PKCS11 */
798
/* Set default --tmp-dir */
800
/* On Windows, find temp dir via enviroment variables */
801
o->tmp_dir = win_get_tempdir();
803
/* Non-windows platforms use $TMPDIR, and if not set, default to '/tmp' */
804
o->tmp_dir = getenv("TMPDIR");
896
/* helper: parse a text string containing an IPv6 address + netbits
897
* in "standard format" (2001:dba::/32)
898
* "/nn" is optional, default to /64 if missing
900
* return true if parsing succeeded, modify *network and *netbits
901
* return address part without "/nn" in *printable_ipv6 (if != NULL)
904
get_ipv6_addr( const char * prefix_str, struct in6_addr *network,
905
unsigned int * netbits, char ** printable_ipv6, int msglevel )
910
struct in6_addr t_network;
912
sep = strchr( prefix_str, '/' );
919
bits = strtol( sep+1, &endp, 10 );
920
if ( *endp != '\0' || bits < 0 || bits > 128 )
922
msg (msglevel, "IPv6 prefix '%s': invalid '/bits' spec", prefix_str);
927
/* temporary replace '/' in caller-provided string with '\0', otherwise
928
* inet_pton() will refuse prefix string
929
* (alternative would be to strncpy() the prefix to temporary buffer)
932
if ( sep != NULL ) *sep = '\0';
934
rc = inet_pton( AF_INET6, prefix_str, &t_network );
936
if ( rc == 1 && printable_ipv6 != NULL )
938
*printable_ipv6 = string_alloc( prefix_str, NULL );
941
if ( sep != NULL ) *sep = '/';
945
msg (msglevel, "IPv6 prefix '%s': invalid IPv6 address", prefix_str);
949
if ( netbits != NULL )
953
if ( network != NULL )
955
*network = t_network;
957
return true; /* parsing OK, values set */
960
static bool ipv6_addr_safe_hexplusbits( const char * ipv6_prefix_spec )
962
struct in6_addr t_addr;
965
return get_ipv6_addr( ipv6_prefix_spec, &t_addr, &t_bits, NULL, M_WARN );
864
969
string_substitute (const char *src, int from, int to, struct gc_arena *gc)
982
1084
msg (D_SHOW_PARMS, " server_network = %s", print_in_addr_t (o->server_network, 0, &gc));
983
1085
msg (D_SHOW_PARMS, " server_netmask = %s", print_in_addr_t (o->server_netmask, 0, &gc));
1086
msg (D_SHOW_PARMS, " server_network_ipv6 = %s", print_in6_addr (o->server_network_ipv6, 0, &gc) );
1087
SHOW_INT (server_netbits_ipv6);
984
1088
msg (D_SHOW_PARMS, " server_bridge_ip = %s", print_in_addr_t (o->server_bridge_ip, 0, &gc));
985
1089
msg (D_SHOW_PARMS, " server_bridge_netmask = %s", print_in_addr_t (o->server_bridge_netmask, 0, &gc));
986
1090
msg (D_SHOW_PARMS, " server_bridge_pool_start = %s", print_in_addr_t (o->server_bridge_pool_start, 0, &gc));
1001
1105
msg (D_SHOW_PARMS, " ifconfig_pool_netmask = %s", print_in_addr_t (o->ifconfig_pool_netmask, 0, &gc));
1002
1106
SHOW_STR (ifconfig_pool_persist_filename);
1003
1107
SHOW_INT (ifconfig_pool_persist_refresh_freq);
1108
SHOW_BOOL (ifconfig_ipv6_pool_defined);
1109
msg (D_SHOW_PARMS, " ifconfig_ipv6_pool_base = %s", print_in6_addr (o->ifconfig_ipv6_pool_base, 0, &gc));
1110
SHOW_INT (ifconfig_ipv6_pool_netbits);
1004
1111
SHOW_INT (n_bcast_buf);
1005
1112
SHOW_INT (tcp_queue_limit);
1006
1113
SHOW_INT (real_hash_size);
1014
1121
SHOW_BOOL (push_ifconfig_defined);
1015
1122
msg (D_SHOW_PARMS, " push_ifconfig_local = %s", print_in_addr_t (o->push_ifconfig_local, 0, &gc));
1016
1123
msg (D_SHOW_PARMS, " push_ifconfig_remote_netmask = %s", print_in_addr_t (o->push_ifconfig_remote_netmask, 0, &gc));
1124
SHOW_BOOL (push_ifconfig_ipv6_defined);
1125
msg (D_SHOW_PARMS, " push_ifconfig_ipv6_local = %s/%d", print_in6_addr (o->push_ifconfig_ipv6_local, 0, &gc), o->push_ifconfig_ipv6_netbits );
1126
msg (D_SHOW_PARMS, " push_ifconfig_ipv6_remote = %s", print_in6_addr (o->push_ifconfig_ipv6_remote, 0, &gc));
1017
1127
SHOW_BOOL (enable_c2c);
1018
1128
SHOW_BOOL (duplicate_cn);
1019
1129
SHOW_INT (cf_max);
1068
1178
o->iroutes = ir;
1182
option_iroute_ipv6 (struct options *o,
1183
const char *prefix_str,
1186
struct iroute_ipv6 *ir;
1188
ALLOC_OBJ_GC (ir, struct iroute_ipv6, &o->gc);
1190
if ( get_ipv6_addr (prefix_str, &ir->network, &ir->netbits, NULL, msglevel ) < 0 )
1192
msg (msglevel, "in --iroute-ipv6 %s: Bad IPv6 prefix specification",
1197
ir->next = o->iroutes_ipv6;
1198
o->iroutes_ipv6 = ir;
1071
1200
#endif /* P2MP_SERVER */
1072
1201
#endif /* P2MP */
1105
1234
options->routes = new_route_option_list (options->max_routes, &options->gc);
1238
rol6_check_alloc (struct options *options)
1240
if (!options->routes_ipv6)
1241
options->routes_ipv6 = new_route_ipv6_option_list (options->max_routes, &options->gc);
1108
1244
#ifdef ENABLE_DEBUG
1110
1246
show_connection_entry (const struct connection_entry *o)
1195
1331
SHOW_STR (ifconfig_remote_netmask);
1196
1332
SHOW_BOOL (ifconfig_noexec);
1197
1333
SHOW_BOOL (ifconfig_nowarn);
1334
SHOW_STR (ifconfig_ipv6_local);
1335
SHOW_INT (ifconfig_ipv6_netbits);
1336
SHOW_STR (ifconfig_ipv6_remote);
1199
1338
#ifdef HAVE_GETTIMEOFDAY
1200
1339
SHOW_INT (shaper);
1897
2037
if (options->connection_list)
1898
2038
msg (M_USAGE, "<connection> cannot be used with --mode server");
1900
2041
if (options->tun_ipv6)
1901
2042
msg (M_USAGE, "--tun-ipv6 cannot be used with --mode server");
1902
2044
if (options->shaper)
1903
2045
msg (M_USAGE, "--shaper cannot be used with --mode server");
1904
2046
if (options->inetd)
1931
2073
msg (M_USAGE, "--up-delay cannot be used with --mode server");
1932
2074
if (!options->ifconfig_pool_defined && options->ifconfig_pool_persist_filename)
1933
2075
msg (M_USAGE, "--ifconfig-pool-persist must be used with --ifconfig-pool");
2076
if (options->ifconfig_ipv6_pool_defined && !options->ifconfig_ipv6_local )
2077
msg (M_USAGE, "--ifconfig-ipv6-pool needs --ifconfig-ipv6");
2078
if (options->ifconfig_ipv6_local && !options->tun_ipv6 )
2079
msg (M_INFO, "Warning: --ifconfig-ipv6 without --tun-ipv6 will not do IPv6");
1934
2081
if (options->auth_user_pass_file)
1935
2082
msg (M_USAGE, "--auth-user-pass cannot be used with --mode server (it should be used on the client side only)");
1936
2083
if (options->ccd_exclusive && !options->client_config_dir)
1963
2110
if (options->ifconfig_pool_defined || options->ifconfig_pool_persist_filename)
1964
2111
msg (M_USAGE, "--ifconfig-pool/--ifconfig-pool-persist requires --mode server");
2112
if (options->ifconfig_ipv6_pool_defined)
2113
msg (M_USAGE, "--ifconfig-ipv6-pool requires --mode server");
1965
2114
if (options->real_hash_size != defaults.real_hash_size
1966
2115
|| options->virtual_hash_size != defaults.virtual_hash_size)
1967
2116
msg (M_USAGE, "--hash-size requires --mode server");
1971
2120
msg (M_USAGE, "--client-connect requires --mode server");
1972
2121
if (options->client_disconnect_script)
1973
2122
msg (M_USAGE, "--client-disconnect requires --mode server");
1974
if (options->tmp_dir)
1975
msg (M_USAGE, "--tmp-dir requires --mode server");
1976
2123
if (options->client_config_dir || options->ccd_exclusive)
1977
2124
msg (M_USAGE, "--client-config-dir/--ccd-exclusive requires --mode server");
1978
2125
if (options->enable_c2c)
2125
2272
MUST_BE_UNDEF (pkcs12_file);
2126
2273
MUST_BE_UNDEF (cipher_list);
2127
2274
MUST_BE_UNDEF (tls_verify);
2275
MUST_BE_UNDEF (tls_export_cert);
2128
2276
MUST_BE_UNDEF (tls_remote);
2129
2277
MUST_BE_UNDEF (tls_timeout);
2130
2278
MUST_BE_UNDEF (renegotiate_bytes);
2971
3125
msg (M_INFO|M_NOPREFIX, "%s", title_string);
2972
3126
msg (M_INFO|M_NOPREFIX, "Originally developed by James Yonan");
2973
3127
msg (M_INFO|M_NOPREFIX, "Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>");
3128
#ifndef ENABLE_SMALL
3129
#ifdef CONFIGURE_CALL
3130
msg (M_INFO|M_NOPREFIX, "\n%s\n", CONFIGURE_CALL);
3132
#ifdef CONFIGURE_DEFINES
3133
msg (M_INFO|M_NOPREFIX, "Compile time defines: %s", CONFIGURE_DEFINES);
2974
3136
openvpn_exit (OPENVPN_EXIT_STATUS_USAGE); /* exit point */
3986
else if (streq (p[0], "ifconfig-ipv6") && p[1] && p[2] )
3988
unsigned int netbits;
3991
VERIFY_PERMISSION (OPT_P_UP);
3992
if ( get_ipv6_addr( p[1], NULL, &netbits, &ipv6_local, msglevel ) &&
3993
ipv6_addr_safe( p[2] ) )
3995
if ( netbits < 64 || netbits > 124 )
3997
msg( msglevel, "ifconfig-ipv6: /netbits must be between 64 and 124, not '/%d'", netbits );
4000
options->ifconfig_ipv6_local = ipv6_local;
4001
options->ifconfig_ipv6_netbits = netbits;
4002
options->ifconfig_ipv6_remote = p[2];
4006
msg (msglevel, "ifconfig-ipv6 parms '%s' and '%s' must be valid addresses", p[1], p[2]);
3822
4010
else if (streq (p[0], "ifconfig-noexec"))
3824
4012
VERIFY_PERMISSION (OPT_P_UP);
4276
else if (streq (p[0], "nice-work") && p[1])
4278
VERIFY_PERMISSION (OPT_P_NICE);
4279
options->nice_work = atoi (p[1]);
4281
else if (streq (p[0], "threads") && p[1])
4285
VERIFY_PERMISSION (OPT_P_GENERAL);
4286
n_threads = positive_atoi (p[1]);
4289
msg (msglevel, "--threads parameter must be at least 1");
4292
options->n_threads = n_threads;
4295
4463
else if (streq (p[0], "shaper") && p[1])
4297
4465
#ifdef HAVE_GETTIMEOFDAY
4392
4560
options->ce.proto = proto;
4562
else if (streq (p[0], "proto-force") && p[1])
4565
VERIFY_PERMISSION (OPT_P_GENERAL);
4566
proto_force = ascii2proto (p[1]);
4567
if (proto_force < 0)
4569
msg (msglevel, "Bad --proto-force protocol: '%s'", p[1]);
4572
options->proto_force = proto_force;
4573
options->force_connection_list = true;
4394
4575
#ifdef GENERAL_PROXY_SUPPORT
4395
4576
else if (streq (p[0], "auto-proxy"))
4532
4713
options->ce.socks_proxy_port = 1080;
4534
4715
options->ce.socks_proxy_server = p[1];
4716
options->ce.socks_proxy_authfile = p[3]; /* might be NULL */
4536
4718
else if (streq (p[0], "socks-proxy-retry"))
4626
4808
add_route_to_option_list (options->routes, p[1], p[2], p[3], p[4]);
4810
else if (streq (p[0], "route-ipv6") && p[1])
4812
VERIFY_PERMISSION (OPT_P_ROUTE);
4813
rol6_check_alloc (options);
4816
if (!ipv6_addr_safe_hexplusbits (p[1]))
4818
msg (msglevel, "route-ipv6 parameter network/IP '%s' must be a valid address", p[1]);
4821
if (p[2] && !ipv6_addr_safe (p[2]))
4823
msg (msglevel, "route-ipv6 parameter gateway '%s' must be a valid address", p[2]);
4826
/* p[3] is metric, if present */
4828
add_route_ipv6_to_option_list (options->routes_ipv6, p[1], p[2], p[3]);
4628
4830
else if (streq (p[0], "max-routes") && p[1])
4630
4832
int max_routes;
5041
else if (streq (p[0], "server-ipv6") && p[1] )
5043
const int lev = M_WARN;
5044
struct in6_addr network;
5045
unsigned int netbits = 0;
5047
VERIFY_PERMISSION (OPT_P_GENERAL);
5048
if ( ! get_ipv6_addr (p[1], &network, &netbits, NULL, lev) )
5050
msg (msglevel, "error parsing --server-ipv6 parameter");
5053
if ( netbits != 64 )
5055
msg( msglevel, "--server-ipv6 settings: only /64 supported right now (not /%d)", netbits );
5058
options->server_ipv6_defined = true;
5059
options->server_network_ipv6 = network;
5060
options->server_netbits_ipv6 = netbits;
5062
if (p[2]) /* no "nopool" options or similar for IPv6 */
5064
msg (msglevel, "error parsing --server-ipv6: %s is not a recognized flag", p[3]);
4839
5068
else if (streq (p[0], "server-bridge") && p[1] && p[2] && p[3] && p[4])
4841
5070
const int lev = M_WARN;
4920
5149
VERIFY_PERMISSION (OPT_P_GENERAL);
4921
5150
options->topology = TOP_P2P;
5152
else if (streq (p[0], "ifconfig-ipv6-pool") && p[1] )
5154
const int lev = M_WARN;
5155
struct in6_addr network;
5156
unsigned int netbits = 0;
5158
VERIFY_PERMISSION (OPT_P_GENERAL);
5159
if ( ! get_ipv6_addr (p[1], &network, &netbits, NULL, lev ) )
5161
msg (msglevel, "error parsing --ifconfig-ipv6-pool parameters");
5164
if ( netbits != 64 )
5166
msg( msglevel, "--ifconfig-ipv6-pool settings: only /64 supported right now (not /%d)", netbits );
5170
options->ifconfig_ipv6_pool_defined = true;
5171
options->ifconfig_ipv6_pool_base = network;
5172
options->ifconfig_ipv6_pool_netbits = netbits;
4923
5174
else if (streq (p[0], "hash-size") && p[1] && p[2])
4925
5176
int real, virtual;
5116
5367
option_iroute (options, p[1], netmask, msglevel);
5369
else if (streq (p[0], "iroute-ipv6") && p[1])
5371
VERIFY_PERMISSION (OPT_P_INSTANCE);
5372
option_iroute_ipv6 (options, p[1], msglevel);
5118
5374
else if (streq (p[0], "ifconfig-push") && p[1] && p[2])
5120
5376
in_addr_t local, remote_netmask;
5412
else if (streq (p[0], "ifconfig-ipv6-push") && p[1] )
5414
struct in6_addr local, remote;
5415
unsigned int netbits;
5417
VERIFY_PERMISSION (OPT_P_INSTANCE);
5419
if ( ! get_ipv6_addr( p[1], &local, &netbits, NULL, msglevel ) )
5421
msg (msglevel, "cannot parse --ifconfig-ipv6-push addresses");
5427
if ( !get_ipv6_addr( p[2], &remote, NULL, NULL, msglevel ) )
5429
msg( msglevel, "cannot parse --ifconfig-ipv6-push addresses");
5435
if ( ! options->ifconfig_ipv6_local ||
5436
! get_ipv6_addr( options->ifconfig_ipv6_local, &remote,
5437
NULL, NULL, msglevel ) )
5439
msg( msglevel, "second argument to --ifconfig-ipv6-push missing and no global --ifconfig-ipv6 address set");
5444
options->push_ifconfig_ipv6_defined = true;
5445
options->push_ifconfig_ipv6_local = local;
5446
options->push_ifconfig_ipv6_netbits = netbits;
5447
options->push_ifconfig_ipv6_remote = remote;
5156
5449
else if (streq (p[0], "disable"))
5158
5451
VERIFY_PERMISSION (OPT_P_INSTANCE);
5393
5686
VERIFY_PERMISSION (OPT_P_IPWIN32);
5394
5687
options->tuntap_options.register_dns = true;
5396
else if (streq (p[0], "rdns-internal")) /* standalone method for internal use */
5689
else if (streq (p[0], "rdns-internal"))
5690
/* standalone method for internal use
5692
* (if --register-dns is set, openvpn needs to call itself in a
5693
* sub-process to execute the required functions in a non-blocking
5694
* way, and uses --rdns-internal to signal that to itself)
5398
5697
VERIFY_PERMISSION (OPT_P_GENERAL);
5399
5698
set_debug_level (options->verbosity, SDL_CONSTRAIN);
5766
6065
VERIFY_PERMISSION (OPT_P_GENERAL);
5767
6066
options->pkcs12_file = p[1];
6067
#if ENABLE_INLINE_FILES
6068
if (streq (p[1], INLINE_FILE_TAG) && p[2])
6070
options->pkcs12_file_inline = p[2];
5769
6074
else if (streq (p[0], "askpass"))
5816
6121
warn_multiple_script (options->tls_verify, "tls-verify");
5817
6122
options->tls_verify = string_substitute (p[1], ',', ' ', &options->gc);
6124
else if (streq (p[0], "tls-export-cert") && p[1])
6126
VERIFY_PERMISSION (OPT_P_GENERAL);
6127
options->tls_export_cert = p[1];
5819
6129
else if (streq (p[0], "tls-remote") && p[1])
5821
6131
VERIFY_PERMISSION (OPT_P_GENERAL);
5942
6252
options->key_method = key_method;
6254
#ifdef ENABLE_X509ALTUSERNAME
6255
else if (streq (p[0], "x509-username-field") && p[1])
6258
VERIFY_PERMISSION (OPT_P_GENERAL);
6259
while ((*s = toupper(*s)) != '\0') s++; /* Uppercase if necessary */
6260
options->x509_username_field = p[1];
6262
#endif /* ENABLE_X509ALTUSERNAME */
5944
6263
#endif /* USE_SSL */
5945
6264
#endif /* USE_CRYPTO */
5946
6265
#ifdef ENABLE_PKCS11